Skip to content

Latest commit

 

History

History
80 lines (52 loc) · 3.13 KB

README.md

File metadata and controls

80 lines (52 loc) · 3.13 KB

PlugStaticLs

Directory Index for Plug/Phoenix Static Assets

Security fix

  • Null byte injection in Plug.Static source code affected PlugStaticLs
  • See https://elixirforum.com/t/security-releases-for-plug/3913
  • Versions affected: v0.6.0 and all earlier versions v0.[012345].x
  • Version fixed: v0.6.1
  • Thanks to: José Valim for reporting and summary (See the Elixir Forum article for the original contributors)

WARNING: inherent vulnerabilities regarding directory listing

Providing directory listing may reveal following vulnerabilities:

  • Contents of unintended files left in the directory will be shown to the HTTP clients, including the search engines.
  • Directory listing requires file stat operations and may result in consuming computing resources.
  • Directory listing reveals not only the file contents but the file name, the last modification time (mtime), and the size.

Here is a list of security advisories against making directory listing available to the public:

Do not provide directory listing unless you are 100% sure about the contents in the directory.

Installation

This package is available in Hex as plug_static_ls. The package can be installed as:

  1. Add plug_static_ls to your list of dependencies in mix.exs:
```elixir
def deps do
  [{:plug_static_ls, "~> 0.6.1"}]
end
```
  1. Ensure plug_static_ls is started before your application:
```elixir
def application do
  [applications: [:plug_static_ls]]
end
```

Prerequisites

The filename locale of the Erlang VM must be explicitly specified to UTF-8. See Erlang's erl +fnu option description for the details.

Note: Elixir assumes UTF-8 usage on the filenames and internal strings.

Usage

Add PlugStaticLs after Plug.Static in endpoint.ex. The access restriction options for PlugStaticLs should include the corresponding setting of Plug.Static. Allow access only to the directories where the index is really required.

plug Plug.Static, at: "/", from: :my_app
plug PlugStaticLs, at: "/", from: :my_app, only: ~w(with_listing)

# Note: non-existent file will be routed here
# Explicit plug to catch this case is required

Dialyzer via dialyxir can be used via mix dialyzer.

License

Apache License 2

Acknowledment

The basic skeleton of this package is derived from static.ex aka Plug.Static module of the Plug repository.

The directory listing page design is derived from Yaws Web Server.