From 1e3c5e10adb0579863e084d9fbd6f3cac651a76b Mon Sep 17 00:00:00 2001
From: Paul Kulchenko <paul@kulchenko.com>
Date: Mon, 7 Mar 2022 18:13:49 -0800
Subject: [PATCH] Update docs on chmod permissions (#336)

Closes #335
---
 tool/net/help.txt  | 4 ++++
 tool/net/redbean.c | 3 +++
 2 files changed, 7 insertions(+)

diff --git a/tool/net/help.txt b/tool/net/help.txt
index 479f37248..227d631f3 100644
--- a/tool/net/help.txt
+++ b/tool/net/help.txt
@@ -961,6 +961,10 @@ FUNCTIONS
            request routing needed for serving assets. This function returns
            true if the request was resolved. If it was resolved, then your
            OnHttpRequest request handler can still set additional headers.
+           Note that the asset needs to have "read other" permissions;
+           otherwise this function logs a warning and returns 403 Forbidden.
+           If this is undesirable, use GetAssetMode and ServeAsset to bypass
+           the check.
 
    ServeAsset(path:str)
            Instructs redbean to serve static asset at path. This function
diff --git a/tool/net/redbean.c b/tool/net/redbean.c
index 95d663c91..ee7819a79 100644
--- a/tool/net/redbean.c
+++ b/tool/net/redbean.c
@@ -6231,6 +6231,9 @@ static char *RoutePath(const char *path, size_t pathlen) {
   struct Asset *a;
   DEBUGF("(srvr) RoutePath(%`'.*s)", pathlen, path);
   if ((a = GetAsset(path, pathlen))) {
+    // only allow "read other" permissions for security
+    // and consistency with handling of "external" files
+    // in this and other webservers
     if ((m = GetMode(a)) & 0004) {
       if (!S_ISDIR(m)) {
         return HandleAsset(a, path, pathlen);