Potential Security Concern / Feature Request
-
I know surfer is supposed to be a simple app, but would it be possible for the app to be configured in such a way that it would not serve out files or full directories that start with "."
Examples would be:
.git.htaccess(I know these aren't used here, but for examples sake)
I wanted to sync my surfer app with a git repo for ease of updating and it serves the .git folder. Not a huge risk but the config file in there can hold some sensitive information in some cases.
-
It sounds a bit like you have some work-flow or specific use-case in mind when you talk about syncing a git repo. Can you maybe describe what your plan is and then maybe there is a better solution than hiding files based on some rules. We can add this to surfer, but I guess this needs to be configurable then for other regular file serving usage.
-
@nebulon Yeah it is pretty specific I suppose. Maybe allowing the admin to select folders/files to be hidden from public view is the best option then instead. My use case is that I am using a non-public git repo to publish to my site but also keep track of changes. I am sure I'm not the only one using surfer in this way, but I also know that it's a niche request. I'd be more than happy to clone surfer add the feature and submit a PR if that better suits Cloudron staff.
-
-
@nebulon I am logging into my cloudron instance -> app -> terminal -> cd public ->
git fetch && git pulldirectly in the app - that's how the folder gets there.@jdaviescoates - Hidden folders in surfer still get served up.
To be clear I am NOT copying a git repo over webdav or ftp here, I am using
git clone/git pulldirectly on the app... -
@murgero said in Potential Security Concern / Feature Request:
@jdaviescoates - Hidden folders in surfer still get served up.
I know. I was suggesting that perhaps Surfer could have an option for them not to be.
