Allow to deny some locations
bugchecker opened this issue · comments
When I tried to use {"root": "."}
I've got public access to some files (bin/
, config/
, logs/
, static.json
). So maybe do one of below actions:
- Allow to deny some locations in
static.json
. - Allow routes'
$path
be tried before$uri
:
heroku-buildpack-static/scripts/config/templates/nginx.conf.erb
Lines 91 to 95 in b613e77
- Automatically detect
{"root": "."}
and deny dangerous prefixes (be attention with/non-blocked-location/../static.json
)
Hi
This buildpack is now deprecated and we are recommending people move the more actively maintained heroku-buildpack-nginx. For migration advice see here.
As such, I'm closing this issue out since we won't be making further changes to this buildpack.