Update documentation on required asset permissions (closes #335)

2025-08-07 02:10:27 +00:00 · 2021-12-06 22:00:54 -08:00 · 2021-12-06 22:00:54 -08:00 · bb4ff2411e
commit bb4ff2411e
parent d6a039821f
2 changed files with 7 additions and 0 deletions
--- a/tool/net/help.txt
+++ b/tool/net/help.txt
@ -959,6 +959,10 @@ FUNCTIONS
           request routing needed for serving assets. This function returns
           true if the request was resolved. If it was resolved, then your
           OnHttpRequest request handler can still set additional headers.
+           Note that the asset needs to have "read other" permissions;
+           otherwise this function logs a warning and returns 403 Forbidden.
+           If this is undesirable, use GetAssetMode and ServeAsset to bypass
+           the check.

   ServeAsset(path:str)
           Instructs redbean to serve static asset at path. This function
--- a/tool/net/redbean.c
+++ b/tool/net/redbean.c
@ -6200,6 +6200,9 @@ static char *RoutePath(const char *path, size_t pathlen) {
  struct Asset *a;
  DEBUGF("(srvr) RoutePath(%`'.*s)", pathlen, path);
  if ((a = GetAsset(path, pathlen))) {
+    // only allow "read other" permissions for security
+    // and consistency with handling of "external" files
+    // in this and other webservers
    if ((m = GetMode(a)) & 0004) {
      if (!S_ISDIR(m)) {
        return HandleAsset(a, path, pathlen);