dioxus icon indicating copy to clipboard operation
dioxus copied to clipboard
verified publisher icon DioxusLabs

Gzip of all assets exposes server binary in release build

Open ochrons opened this issue 1 year ago • 2 comments

Problem

When running fullstack server in release mode, it automatically compresses all files into .gz versions, including the server binary itself. This can then be downloaded as a resource through the server itself via eg. http://127.0.0.1:8080/dio-fullstack.gz

No need to say, but this is a serious security issue.

Expected behavior

Downloadable assets should be in a separate directory from the server binary. Server binary should never be exposed for download.

Assets should be compressed during compilation, not at runtime, as the directory might be read-only in many cases.

Environment:

  • Dioxus version: 0.5.2
  • Rust version: 1.76
  • OS info: Win11 WSL2
  • App platform: fullstack

ochrons avatar Apr 17 '24 13:04 ochrons

As a workaround before the problem is fixed, you can prevent the creation of the binary gz file by

cd dist
touch dio-fullstack.gz
chmod -w dio-fullstack.gz

after building the release version. This will prevent the server from creating a gzipped version of its own binary. Naturally replace dio-fullstack with the name of your server app.

ochrons avatar Apr 17 '24 13:04 ochrons

If your project looks like:

- project
   - dist
      - server.exe
      - other-files...

You can move your server up from dist to project and run it to avoid this issue. It only serves the dist directory

ealmloff avatar Apr 17 '24 13:04 ealmloff