Excluding subfolders of alias file locations from use
In your cwd_engine_conf.xml, if your <sources> section contains a <urls> section that contains any entries that start with file:/// (that is, refer to a location on disk), then certain subfolders are excluded from use by default for security reasons. You may want to change this list of subfolders for custom security.
About this task
By default, users constructing an image transformation URL and using an alias that refers to a disk location cannot use any of the following folders:
- WEB-INF
- bin
- .*, that is, any subfolder whose name starts with a period (.)
This means that, for example, given an alias local with value file:///C:/workspaces/images, by default, a user cannot append /source/local/foo/WEB-INF/bar.jpg to an image transformation URL, because bar.jpg is located in the excluded subfolder WEB-INF/. Similarly, /source/local/.settings/fred.jpg is not allowed.
These locations are excluded by default because they typically refer to sensitive locations on disk, which malicious users could take advantage of. Your disk locations may contain further or different sensitive locations. To configure those, you can add an <excludedFolders> element to the <sources> section. Note that if you do, the default set of folders no longer applies. To continue excluding those folders, add them to <excludedFolders>