Potential Security Concern / Feature Request
-
I know surfer is supposed to be a simple app, but would it be possible for the app to be configured in such a way that it would not serve out files or full directories that start with "."
Examples would be:
.git.htaccess(I know these aren't used here, but for examples sake)
I wanted to sync my surfer app with a git repo for ease of updating and it serves the .git folder. Not a huge risk but the config file in there can hold some sensitive information in some cases.
-
It sounds a bit like you have some work-flow or specific use-case in mind when you talk about syncing a git repo. Can you maybe describe what your plan is and then maybe there is a better solution than hiding files based on some rules. We can add this to surfer, but I guess this needs to be configurable then for other regular file serving usage.
-
It sounds a bit like you have some work-flow or specific use-case in mind when you talk about syncing a git repo. Can you maybe describe what your plan is and then maybe there is a better solution than hiding files based on some rules. We can add this to surfer, but I guess this needs to be configurable then for other regular file serving usage.
@nebulon Yeah it is pretty specific I suppose. Maybe allowing the admin to select folders/files to be hidden from public view is the best option then instead. My use case is that I am using a non-public git repo to publish to my site but also keep track of changes. I am sure I'm not the only one using surfer in this way, but I also know that it's a niche request. I'd be more than happy to clone surfer add the feature and submit a PR if that better suits Cloudron staff.
--
https://urgero.org
~ Professional Nerd. Freelance Programmer. ~ -
@nebulon Yeah it is pretty specific I suppose. Maybe allowing the admin to select folders/files to be hidden from public view is the best option then instead. My use case is that I am using a non-public git repo to publish to my site but also keep track of changes. I am sure I'm not the only one using surfer in this way, but I also know that it's a niche request. I'd be more than happy to clone surfer add the feature and submit a PR if that better suits Cloudron staff.
@murgero There could also just be an option to show/ hide hidden files (ie those that start with . ) like on desktop file browsers?
-
@nebulon Yeah it is pretty specific I suppose. Maybe allowing the admin to select folders/files to be hidden from public view is the best option then instead. My use case is that I am using a non-public git repo to publish to my site but also keep track of changes. I am sure I'm not the only one using surfer in this way, but I also know that it's a niche request. I'd be more than happy to clone surfer add the feature and submit a PR if that better suits Cloudron staff.
-
@murgero to take a step back, why are you pushing the .git folder in the first place, if you don't want to have things public? I feel like you could just not do that instead, no? Maybe I don't fully get the flow you are using there.
@nebulon I am logging into my cloudron instance -> app -> terminal -> cd public ->
git fetch && git pulldirectly in the app - that's how the folder gets there.@jdaviescoates - Hidden folders in surfer still get served up.
To be clear I am NOT copying a git repo over webdav or ftp here, I am using
git clone/git pulldirectly on the app...--
https://urgero.org
~ Professional Nerd. Freelance Programmer. ~ -
@nebulon I am logging into my cloudron instance -> app -> terminal -> cd public ->
git fetch && git pulldirectly in the app - that's how the folder gets there.@jdaviescoates - Hidden folders in surfer still get served up.
To be clear I am NOT copying a git repo over webdav or ftp here, I am using
git clone/git pulldirectly on the app...@murgero said in Potential Security Concern / Feature Request:
@jdaviescoates - Hidden folders in surfer still get served up.
I know. I was suggesting that perhaps Surfer could have an option for them not to be.
