merchant www: allow symlinks for vendored libs

debian packager would like to replace vendored libs with system provided ones (using symlinks). This requires "follow_symlinks=True". discussion of security implications: https://serverfault.com/q/244592 to minimise attack surface, we only set this option for the "vendor/" directory. related: https://github.com/spesmilo/electrum/issues/8023
2 years ago · 32ce64faa5
2 changed files with 5 additions and 1 deletions
--- a/electrum/daemon.py
+++ b/electrum/daemon.py
@ -393,6 +393,10 @@ class PayServer(Logger, EventListener):
        app.add_routes([web.get('/api/get_invoice', self.get_request)])
        app.add_routes([web.get('/api/get_status', self.get_status)])
        app.add_routes([web.get('/bip70/{key}.bip70', self.get_bip70_request)])
+        # 'follow_symlinks=True' allows symlinks to traverse out the parent directory.
+        # This was requested by distro packagers for vendored libs, and we restrict it to only those
+        # to minimise attack surface. note: "add_routes" call order matters (inner path goes first)
+        app.add_routes([web.static(f"{root}/vendor", os.path.join(self.WWW_DIR, 'vendor'), follow_symlinks=True)])
        app.add_routes([web.static(root, self.WWW_DIR)])
        if self.config.get('payserver_allow_create_invoice'):
            app.add_routes([web.post('/api/create_invoice', self.create_request)])
--- a/electrum/www
+++ b/electrum/www
@ -1 +1 @@
-Subproject commit ebcff4f6bd695f0c664e2bce6d99eb3824b0d234
+Subproject commit a9cdb5436f79c0577045274194c0473944cdd2a8