sajjadium / ctf-archives

CTF Archives: Collection of CTF Challenges.
https://twitter.com/sajjadium
MIT License
853 stars 133 forks source link

Disable follow_symlinks #3

Closed Dreamsorcerer closed 9 months ago

Dreamsorcerer commented 9 months ago

I'm checking that this parameter wasn't set by mistake. The parameter allows a symlink to point to somewhere outside of the static directory. Symlinks that point within the directory will work without enabling this parameter (it's badly named). Therefore enabling this option could make it easy to misconfigure an environment and introduce security issues.

If you're absolutely sure you need this parameter, then please ensure your server is upgraded to aiohttp 3.9.2 immediately (security advisory will be published about this tomorrow).