EAAS/NFV>> plug_static_ls>> 返回
项目作者: jj1bdx

项目描述 :
Serving directory Index for Plug/Phoenix Static Assets
高级语言: Elixir
项目地址: git://github.com/jj1bdx/plug_static_ls.git
创建时间: 2017-01-05T12:32:53Z
项目社区:https://github.com/jj1bdx/plug_static_ls
开源协议:Apache License 2.0
下载


PlugStaticLs

Directory Index for Plug/Phoenix Static Assets

Security fix

  • Null byte injection in Plug.Static source code affected PlugStaticLs
  • See https://elixirforum.com/t/security-releases-for-plug/3913
  • Versions affected: v0.6.0 and all earlier versions v0.[012345].x
  • Version fixed: v0.6.1
  • Thanks to: José Valim for reporting and summary (See the Elixir Forum article for the original contributors)

WARNING: inherent vulnerabilities regarding directory listing

Providing directory listing may reveal following vulnerabilities:

  • Contents of unintended files left in the directory will be shown to the HTTP clients, including the search engines.
  • Directory listing requires file stat operations and may result in consuming computing resources.
  • Directory listing reveals not only the file contents but the file name, the last modification time (mtime), and the size.

Here is a list of security advisories against making directory listing available to the public:

Do not provide directory listing unless you are 100% sure about the contents in the directory.

Installation

This package is available in Hex as plug_static_ls. The package can be installed as:

  1. Add plug_static_ls to your list of dependencies in mix.exs:

    1. def deps do
    2.  [{:plug_static_ls, "~> 0.6.1"}]
    3. end

  2. Ensure plug_static_ls is started before your application:

    1. def application do
    2.  [applications: [:plug_static_ls]]
    3. end

Prerequisites

The filename locale of the Erlang VM must be explicitly specified to UTF-8.
See Erlang’s erl +fnu option description for the details.

Note: Elixir assumes UTF-8 usage on the filenames and internal strings.

Usage

Add PlugStaticLs after Plug.Static in endpoint.ex. The access restriction options for PlugStaticLs should include the corresponding setting of Plug.Static. Allow access only to the directories where the index is really required.

  1. plug Plug.Static, at: "/", from: :my_app
  2. plug PlugStaticLs, at: "/", from: :my_app, only: ~w(with_listing)
  4. # Note: non-existent file will be routed here
  5. # Explicit plug to catch this case is required

Dialyzer via dialyxir can be used via mix dialyzer.

License

Apache License 2

Acknowledment

The basic skeleton of this package is derived from
static.ex
aka Plug.Static module of the Plug repository.

The directory listing page design is derived from Yaws Web Server.