Closed radim closed 8 months ago
I reinstated the initial comment. Other people may have the same interrogations as you.
The SQLPage blocks access to the ./sqlpage/
folder by default, and makes the WEB_ROOT
(the folder from which .sql files are served) configurable.
Hey, thank you for making SQLPage reality! One question re: security, is it intended behaviour I can execute externally migrations and any other .sql files in sqlite/migrations/?
Having said that, is there any way how to configure 'safe' location? I have tried to have a look at the source code and there's little protection as the read_to_string(app_state, path, true) which is always called as Priviledged == true (if that is the thing that makes the difference), and that's used in the evaluation safe_local_path. Initially i hoped the sqlpage location is going to be protected, but I can succesfully evaluate
curl -v http://localhost:8080/sqlpage/migrations/001_test.sql
(both using development and production mode).
Also how does the static_path is supposed to be used in custom components?
I guess I can have a look and create PR if you can provide some hints at the general idea around the security.