Comments (2)
cubiclesoft
commented on May 18, 2024
It most likely depends on where the symlink is pointing and what is happening on the server side. If you are using the FileExplorerFSHelper class and it is pointing outside of the base path, then GetSanitizedPath() is going to return a failure response. Changing GetSanitizedPath() is likely to lead to security vulnerabilities - it's purpose is to prevent accessing locations on the system that could be dangerous by restricting filesystem access to the base path. The concept of directly accessing a filesystem from a web browser carries a lot of security caveats. You don't want to have an attacker gain read or write access to areas of the filesystem outside of the expected purview of the application. Attackers sending falsified paths that leave the current base path is almost always going to be a problem from a security perspective.
If you are inside the base path, then the other possibility is permissions. The web server user has to be able to read the target of a symlink. That's baked into the OS itself. Reading the attributes of a file/directory in a directory you have access to doesn't require the same permissions as accessing the file/directory. That's why you can obtain the information that you are seeing.
from js-fileexplorer.
scoutpup
commented on May 18, 2024
Makes sense; thanks for the clarification! In my case I'm trying to make the contents of a second hard drive available in the application; I'll try making that hard drive the base path. As only trusted users will have access to the system I'm not too worried about malicious actors, but will keep your points in mind.
from js-fileexplorer.
Related Issues (20)
- Upload not working for files with size over chunksize HOT 2
- What are js-fileexplorer differences from WebDAV? HOT 1
- No tags, no npm/yarn, no composer ? HOT 3
- Error downloading multiple files HOT 14
- Doesn't open folders on iOS HOT 14
- Hide options (cut, upload, download) if they are disabled. HOT 6
- Feature: Add a package.json for importing into npm projects HOT 2
- there is no way to upload files using other transport method than built-in method HOT 3
- Display details about each uploaded file in a separate UI
- How to get file object for file upload? HOT 4
- onmove - get file names by ids HOT 3
- Linux support HOT 1
- How to use without php? HOT 2
- PNG vs. SVG icons
- ARIA implementation/ADA screen reader compliance
- License request HOT 2
- Cool project. HOT 1
- How to empty recycle bin? HOT 1
- Skin / design contribution HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from js-fileexplorer.