heroku / heroku-buildpack-static

When I tried to use {"root": "."} I've got public access to some files (bin/, config/, logs/, static.json). So maybe do one of below actions:

Allow to deny some locations in static.json.

Allow routes' $path be tried before $uri:

heroku-buildpack-static/scripts/config/templates/nginx.conf.erb

Lines 91 to 95 in b613e77

    
           <% if clean_urls %> 
        
             try_files $uri.html $uri $uri/ $path $fallback; 
        
           <% else %> 
        
             try_files $uri $path $fallback; 
        
           <% end %>

Automatically detect {"root": "."} and deny dangerous prefixes (be attention with /non-blocked-location/../static.json)

Hi

This buildpack is now deprecated and we are recommending people move the more actively maintained heroku-buildpack-nginx. For migration advice see here.

As such, I'm closing this issue out since we won't be making further changes to this buildpack.

	<% if clean_urls %>
	try_files $uri.html $uri $uri/ $path $fallback;
	<% else %>
	try_files $uri $path $fallback;
	<% end %>

Allow to deny some locations