falcon icon indicating copy to clipboard operation
falcon copied to clipboard
verified publisher icon falconry

Serve static discard files with a tilde(~) in them even if valid

Open CaselIT opened this issue 5 years ago • 5 comments

The StaticRoute disallows serving files with a tilde (~) in them, even if the file is valid, like default~module.js

This is caused by the _DISALLOWED_CHARS_PATTERN regexp that contains the ~ char https://github.com/falconry/falcon/blob/790d4e4f2eb4d0cf49e11faa2ec226ead0a5b314/falcon/routing/static.py#L42

I cannot easily change the name of the file (since it is the output of the build command of an angular application). I understand that the tilde can cause problems since it normally indicates the home of the user, but I think it falcon should accept its use if it refers to a valid file name.

As an alternative maybe the _DISALLOWED_CHARS_PATTERN could be made public, so that it's documented and an user can customize it if they so wishes

Thanks

CaselIT avatar Jan 23 '20 17:01 CaselIT

Hi :wave:,

Thanks for using Falcon. The large amount of time and effort needed to maintain the project and develop new features is not sustainable without the generous financial support of community members like you.

Please consider helping us secure the future of the Falcon framework with a one-time or recurring donation.

Thank you for your support!

open-collective-bot[bot] avatar Jan 23 '20 17:01 open-collective-bot[bot]

Hi @CaselIT ! I agree blocking tilde (~) is unnecessarily harsh.

To my understanding, at least on Linux, ultimately all filename characters are valid except / and the NULL byte (0). Furthermore, although allowed on most Unix filesystems, it is recommended to avoid the following even on Linux: ['&', ':', '<', '>', '|'] both due to compatibility and because they have a completely different meaning if care is not taken to escape them in shell. It also makes sense to disallow backslash (\) wrt Windows systems.

To work this around for now, you could override _DISALLOWED_CHARS_PATTERN even if it is declared private. But you've probably already gone that way :slightly_smiling_face:

vytas7 avatar Jan 25 '20 10:01 vytas7

@kgriffs I like @CaselIT's suggestion to make it configurable. How about:

  • Allow ~ by default (the downside being, very strictly speaking, a breaking change; only suitable for 3.0 and not 3.1)
  • Make the list of allowed characters configurable in the constructor, and add_static_route(); or add a static file options class along the lines of request, router & response options
  • The list would default to None meaning the default DISALLOWED_CHARS constant, made public and documented
  • Regex would be compiled in the constructor
  • Consider always disallowing \x00, / and \ufffd

vytas7 avatar Jan 25 '20 10:01 vytas7

I like you proposal, but I think we can keep the default behaviour as is now, ie disallowing the tilde, so the change would not need to be in a major release.

Since this is the first time this issue has come up I don't think it's a common problem, I think it's sufficient to have a public api to configure it.

To work this around for now, you could override _DISALLOWED_CHARS_PATTERN even if it is declared private. But you've probably already gone that way 🙂

Yes that is my workaround

CaselIT avatar Jan 25 '20 10:01 CaselIT

I had the same issue, I just migrated to falcon 3.0.1 and the problem is still there. As a side note: I would not say that changing an _ prefixed global is a public API 😃

In any case: workaround above still works

keul avatar Jan 26 '22 15:01 keul