How do I convince asp.net MVC static files to follow symbolic links

Asked 12/1, 2018 at 1:27 Answered 28/2, 2021 at 18:17

Solved .net-core asp.net-core-mvc symlink

ASP .NET MVC .UseStaticFiles will not follow symbolic links.

I'm pretty sure this is intentional behavior and an extremely misguided security decision. It might make sense if MBC was used for a wen server hosting a bunch of stuff. It does not make sense for web applications as actually used. If an attacker can place a symbolic link in the wweroot directory he can replace the application binaries.

~~It appeared to be implemented in PhysicalFileProvider, where it gets the full path and checks if it is under wwwroot.~~ Nope. It's calling System.IO.FileInfo.Length which always returns zero for symbolic links.

How do tell it to shut up? Following a symlink out of wwwroot is not equivalent to somebody having exploited a traversal bug.

Newsboy answered 12/1, 2018 at 1:27 Comment(2)

Can you provide details to reproduce your issue? For example, are you on Linux, macOS, Windows, Docker? etc. There isn't really enough to go on here. I tried a simple app with symlinks into wwwroot, and it works fine for me. – Durfee 12/1, 2018 at 17:52

@natemcmaster: I tracked down the actual bug. It's only choking if the file itself is a symbolic link not anything above it. – Newsboy 12/1, 2018 at 20:13

It's bugged in MVC Core. See https://github.com/aspnet/Home/issues/2774

Only possible solution:

HostingEnvironment.WebRootProvider = your own provider

Where your provider must not replicate the bug of calling System.IO.FileInfo.Length.

Newsboy answered 12/1, 2018 at 20:12 Comment(0)

I found that when you symlink not the file but the directory containing the file, the file loads completely.

Tracheo answered 28/2, 2021 at 18:17 Comment(1)

Having found the actual bug in .NET source, this does not surprise me. – Newsboy 28/2, 2021 at 18:21

Recommended topics

Hot tags