Kibana server should not rendering directory listings #6760
Comments
|
@spalger, why did you make this setting configurable? |
|
I also can't imagine why someone would need this, but like it or not, the feature does exist at the moment. If we remove it outright, then we might be removing a feature that someone has come to rely on. |
|
The reason I like directory listings is because it lets you figure out what files are available when you don't have access to the file system for whatever reason. This might sound like a security issue, and if you don't want people to know what assets are available you would be "right", but I think there are perfectly valid reasons to expose this information and totally non-malicious reasons you would want this information. By turning it on only in dev people can use it while writing plugins but... I'm open to disabling it completely. I think there is a good reason this is generally a default behavior of static file servers though. |
|
We are using a ES cluster secured by shield to protect sensitive data and that /bundles/ directory is exposed without any authentication. I'd suggest to let it configurable, but at least disabled by default |
|
Cool, it is configurable and disabled by default in "production" mode, the default mode. If you set the kibana environment to "development" then this will turn on too, but there's no reason for users to do that. |
## Summary `@elastic/[email protected]` ⏩ `@elastic/[email protected]` --- ## [`80.0.0`](https://github.com/elastic/eui/tree/v80.0.0) - Improved the contrast ratio of meta labels within `EuiSelectableTemplateSitewide` to meet WCAG AA guidelines. ([#6761](elastic/eui#6761)) - Added `vulnerabilityManagementApp` glyph to `EuiIcon` ([#6762](elastic/eui#6762)) - Added `logoVulnerabilityManagement` icon to `EuiIcon` ([#6763](elastic/eui#6763)) - Added `onPanelChange` callback to `EuiContextMenu` to provide consumer access to `panelId` and `direction`. ([#6767](elastic/eui#6767)) **Bug fixes** - Fixed `EuiComboBox` so `append` and `prepend` icon buttons are full height and vertically centered. ([#6766](elastic/eui#6766)) - Improved the uniformity of dropdown components by hiding the dropdown icon of disabled `EuiComboBox`s. ([#6768](elastic/eui#6768)) **Breaking changes** - `EuiFieldNumber` now defaults the `step` prop to `"any"` ([#6760](elastic/eui#6760)) - EUI now globally resets a default Chromium browser style that was decreasing the opacity of disabled `select` items. ([#6768](elastic/eui#6768)) --------- Co-authored-by: Kibana Machine <[email protected]>
## Summary `@elastic/[email protected]` ⏩ `@elastic/[email protected]` --- ## [`80.0.0`](https://github.com/elastic/eui/tree/v80.0.0) - Improved the contrast ratio of meta labels within `EuiSelectableTemplateSitewide` to meet WCAG AA guidelines. ([elastic#6761](elastic/eui#6761)) - Added `vulnerabilityManagementApp` glyph to `EuiIcon` ([elastic#6762](elastic/eui#6762)) - Added `logoVulnerabilityManagement` icon to `EuiIcon` ([elastic#6763](elastic/eui#6763)) - Added `onPanelChange` callback to `EuiContextMenu` to provide consumer access to `panelId` and `direction`. ([elastic#6767](elastic/eui#6767)) **Bug fixes** - Fixed `EuiComboBox` so `append` and `prepend` icon buttons are full height and vertically centered. ([elastic#6766](elastic/eui#6766)) - Improved the uniformity of dropdown components by hiding the dropdown icon of disabled `EuiComboBox`s. ([elastic#6768](elastic/eui#6768)) **Breaking changes** - `EuiFieldNumber` now defaults the `step` prop to `"any"` ([elastic#6760](elastic/eui#6760)) - EUI now globally resets a default Chromium browser style that was decreasing the opacity of disabled `select` items. ([elastic#6768](elastic/eui#6768)) --------- Co-authored-by: Kibana Machine <[email protected]>
The Kibana server should not render directory listings:
If someone really wants to expose a directory for the sake of sharing its contents, they should do so via their reverse proxy.
The text was updated successfully, but these errors were encountered: