Add confine option that confines file responses

[kanongil]

The is a breaking change, since I decided to use true as the default value.

[kanongil]

The baseDir option should probably also apply to the directory handler, to prevent serving files outside of relativeTo by default.

I plan to amend the PR with this feature.

[kanongil]

Rebased patch and split into sub patches, renaming the option to confine.

I decided not to include any confine option for the directory handler, as I think it will be more of a nuisance than an actual security feature.

I plan to merge this soon unless there are any objections or concerns?

[hueniverse]

I don't get it.

I understand how this can be useful in a directory handler where you are serving content based on the request, but is there a real use case for file when you specify the file you want?

Also, directory already have this: https://github.com/hapijs/inert/blob/master/lib/directory.js#L81-L83
Is that not enough?

Seems like an odd feature for the file handler. I can see how it might be useful for the reply.file() method in case you pass it a runtime filename.

[kanongil]

Yeah, it is primarily targeted at reply.file() but also the plain file handler with a function based path.

The other target is the directory handler, where it allows me to remove the hack you mention and fix #5.

I am definitely open to change the defaults for the file handler if you think it will cause issues?

[hueniverse]

Ok. We can give this a try. See how many people report issues. But need to apply to directory.

[chrisisbeef]

@hueniverse / @kanongil - I am curious why this PR hasn't been merged in and pushed yet? This seems to resolve this particular issue, and more importantly is solves a very real security issue. Can you guys provide us with an update on this PR?

[lock]

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.