The current Nginx example configuration in the docs is potentially vulnerable.
This PR fixes that to avoid people introducing potential issues in their apps when copy-pasting that configuration.
Explaination
This is the current configuration:
location /static {
alias <path-to-your-application>/static;
expires 30d;
}
in case there are two separate folders, <path-to-your-application>/static and <path-to-your-application>/static_secret this setup would allow an attacker to access all the files contained in /static_secret just by requesting http://[domain]/static_secret/[file]. Adding a final slash ensures only the static folder is served.
location /static/ {
alias <path-to-your-application>/static/;
expires 30d;
}
Note that as we add the slash to alias <path-to-your-application>/static/, it's extremely important that we add the final slash to location /static/ as well, as a lack of this would lead to a much more serious path traversal vulnerability[1][2]
The current Nginx example configuration in the docs is potentially vulnerable. This PR fixes that to avoid people introducing potential issues in their apps when copy-pasting that configuration.
Explaination
This is the current configuration:
in case there are two separate folders,
<path-to-your-application>/staticand<path-to-your-application>/static_secretthis setup would allow an attacker to access all the files contained in/static_secretjust by requestinghttp://[domain]/static_secret/[file]. Adding a final slash ensures only thestaticfolder is served.Note that as we add the slash to
alias <path-to-your-application>/static/, it's extremely important that we add the final slash tolocation /static/as well, as a lack of this would lead to a much more serious path traversal vulnerability[1][2]