Menu
ASP .NET MVC .UseStaticFiles will not follow symbolic links.
I'm pretty sure this is intentional behavior and an extremely misguided security decision. It might make sense if MBC was used for a wen server hosting a bunch of stuff. It does not make sense for web applications as actually used. If an attacker can place a symbolic link in the wweroot directory he can replace the application binaries.
It appeared to be implemented in PhysicalFileProvider, where it gets the full path and checks if it is under wwwroot. Nope. It's calling System.IO.FileInfo.Length which always returns zero for symbolic links.
How do tell it to shut up? Following a symlink out of wwwroot is not equivalent to somebody having exploited a traversal bug.
755
It's bugged in MVC Core. See https://github.com/aspnet/Home/issues/2774
Only possible solution:
HostingEnvironment.WebRootProvider = your own provider
Where your provider must not replicate the bug of calling System.IO.FileInfo.Length.
136
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With