fix: preventing inappropriate directory access and listings #2313
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Other paths that are also accessible:
|
cotes2020
reviewed
Mar 26, 2025
There was a problem hiding this comment.
Actually, the plugin jekyll-redirect-from is not very useful for hiding web site directories, and can even be completely removed from the project without any problems.
If the site is hosted on a platform such as GitHub Pages, it will automatically jump to a 404 when accessing a page that doesn't exist, you can verify this by visiting https://chirpy.cotes.page/assets/css/. If the site is hosted on a private server, we can configure the web server to hide specific file paths.
|
I understand, it was my lack of knowledge then. I thought it would behave the same way in cases of deployment even if they were not behind a web server. In my case, I am deploying with Cloudflare Pages, and testing now, these accesses are also redirected to |
bitwallke
pushed a commit
to bitwallke/bitwallke.github.io
that referenced
this pull request
May 6, 2025
Datta0
added a commit
to Datta0/datta0.github.io
that referenced
this pull request
May 20, 2025
commit 53770e4 Author: semantic-release-bot <[email protected]> Date: Sun May 18 13:17:30 2025 +0000 chore(release): 7.3.0 ## [7.3.0](cotes2020/jekyll-theme-chirpy@v7.2.4...v7.3.0) (2025-05-18) ### Features * **i18n:** add Catalan Spanish locale translation ([cotes2020#2349](cotes2020#2349)) ([167c98c](cotes2020@167c98c)) * **i18n:** add Dutch locale ([cotes2020#2076](cotes2020#2076)) ([981ddba](cotes2020@981ddba)) * **i18n:** add Japanese locale ([cotes2020#2295](cotes2020#2295)) ([571c90f](cotes2020@571c90f)) * **i18n:** add persian language ([cotes2020#2238](cotes2020#2238)) ([7d4d35c](cotes2020@7d4d35c)) ### Bug Fixes * avoid `mathjax` loading failure on page refresh ([cotes2020#2389](cotes2020#2389)) ([401e2af](cotes2020@401e2af)) * improve accuracy of moving `img` element classes ([cotes2020#2399](cotes2020#2399)) ([d0f8f95](cotes2020@d0f8f95)) * prevent the search bar from moving when focused ([cotes2020#2336](cotes2020#2336)) ([f744929](cotes2020@f744929)) * recognize global theme mode ([cotes2020#2357](cotes2020#2357)) ([7708adb](cotes2020@7708adb)) * **search:** avoid missing spaces between paragraphs in search results ([cotes2020#2199](cotes2020#2199)) ([0eb7efa](cotes2020@0eb7efa)) * **ui:** fix incomplete border color on hover for tags ([cotes2020#2359](cotes2020#2359)) ([c626447](cotes2020@c626447)) ### Improvements * **seo:** improve accessibility and aligns with best practices ([cotes2020#2289](cotes2020#2289)) ([54d4d59](cotes2020@54d4d59)) commit d84b727 Merge: 5e41d87 519e4f1 Author: Cotes Chung <[email protected]> Date: Sun May 18 21:16:09 2025 +0800 Merge branch 'master' into production commit 519e4f1 Author: Cotes Chung <[email protected]> Date: Sun May 18 21:14:56 2025 +0800 chore: upgrade dependencies to the latest version (cotes2020#2409) commit d0f8f95 Author: Cotes Chung <[email protected]> Date: Sun May 11 22:19:18 2025 +0800 fix: improve accuracy of moving `img` element classes (cotes2020#2399) commit 401e2af Author: Cotes Chung <[email protected]> Date: Mon May 5 11:55:48 2025 +0800 fix: avoid `mathjax` loading failure on page refresh (cotes2020#2389) commit ada38aa Author: Cotes Chung <[email protected]> Date: Mon May 5 11:15:08 2025 +0800 chore: avoid auto-formatting liquid and sass mixed code commit 61ae6cc Author: Cotes Chung <[email protected]> Date: Mon May 5 11:14:07 2025 +0800 chore(dev-deps): add eslint config file commit 9f38a2d Author: Cotes Chung <[email protected]> Date: Sat May 3 16:18:52 2025 +0800 refactor: move the path of `theme.js` commit 23d953c Author: Cotes Chung <[email protected]> Date: Sat May 3 16:14:50 2025 +0800 chore(deps): remove plugin `jekyll-redirect-from` Discussed in cotes2020#2313 commit b48ea68 Author: iSpeakNerd <[email protected]> Date: Thu Apr 24 05:25:46 2025 -0700 chore: update `linkedin` sharing url (cotes2020#2307) commit c626447 Author: László Várady <[email protected]> Date: Thu Apr 24 14:23:43 2025 +0200 fix(ui): fix incomplete border color on hover for tags (cotes2020#2359) commit 7708adb Author: Cotes Chung <[email protected]> Date: Wed Apr 16 18:08:43 2025 +0800 fix: recognize global theme mode (cotes2020#2357) commit 167c98c Author: Delyn Choong <[email protected]> Date: Sun Apr 13 22:16:47 2025 +0800 feat(i18n): add Catalan Spanish locale translation (cotes2020#2349) commit f744929 Author: László Várady <[email protected]> Date: Mon Apr 7 13:36:32 2025 +0200 fix: prevent the search bar from moving when focused (cotes2020#2336) commit db40db6 Author: Alejandro <[email protected]> Date: Sat Apr 5 01:28:29 2025 +0200 chore: add parameter in `search-results.html` (cotes2020#2330) commit 571c90f Author: nakamura <[email protected]> Date: Sat Mar 29 04:54:54 2025 +0900 feat(i18n): add Japanese locale (cotes2020#2295) commit 54d4d59 Author: Türkalp Burak KAYRANCIOĞLU <[email protected]> Date: Sat Mar 8 17:24:47 2025 +0300 perf(seo): improve accessibility and aligns with best practices (cotes2020#2289) commit e315864 Author: Corey Goldberg <[email protected]> Date: Tue Mar 4 16:06:37 2025 -0500 docs: fix typo in `2019-08-08-write-a-new-post.md` (cotes2020#2281) Signed-off-by: Corey Goldberg <[email protected]> commit 7d4d35c Author: MasihGhaznavi <[email protected]> Date: Sun Feb 9 09:58:39 2025 +0330 feat(i18n): add persian language (cotes2020#2238) commit 231956d Author: algorithmic-parallels <[email protected]> Date: Thu Feb 6 00:27:54 2025 -0500 docs: using long form Jekyll subcommand (cotes2020#2231) Signed-off-by: datta0 <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Type of change
Description
This PR prevents the site user from being able to access directories that they should not have access to, such as the path
/assets/css/, it is possible to access this path as seen in the image below.This behavior occurs with the following paths:
/assets/css//assets/img//assets/js/To fix this I adjusted the
/assets/404.htmlfile so that the user is redirected to the 404 error page if they try to access any of the paths mentioned above.Additional context
I noticed this problem because in my project I noticed that when trying to access
/Makefilein the browser, I was able to download the file, so I figured it might not be the only file with this problem.Looking for more accessible paths with dirb we have the following report:
When running
dirb http://127.0.0.1:4000/ /usr/share/wordlists/dirb/common.txtIf the developer creates other files in the project root, or in a
/assets/new-folderfolder, these will also be accessible, perhaps it would be interesting to warn about this in the documentation.