How to follow symlink in www folder

lilhater · June 12, 2017, 2:05pm

Howdy Ho!

I’ve learnt that I can use the www folder inside my homeassistant installation to present information out to the world.

Is there a way to allow the http service to follow symbolic links?

When I try to access homeassistantaddress:port/local/file, I get a 404 for symbolic links at this stage.

Not sure if this is the best place for this question.

cariboo · June 12, 2017, 6:29pm

You need to have a web server of some sort running, and in the configuration file you should have something like:

Options +FollowSymLinks

It’s a little vague, but I can be more specific if I knew what websever you are running.

happyleaves · June 12, 2017, 6:35pm

He’s talking about the built-in HASS web server. It automatically serves content from the www directory in your config directory.

lilhater · June 13, 2017, 12:10am

Yeah, I was just trying to avoid opening another port on my server.

However, if you think there’s no other way, I’m happy to setup apache on it.

bbrendon · July 5, 2017, 5:59am

Any luck on this?

lilhater · July 5, 2017, 2:48pm

No sorry… I ended up just opening a new port for a new apache server.
I noticed that hass is using aiohttp but I didn’t find where I can enable follow symlinks.

bbrendon · July 6, 2017, 2:50am

I figured out a work-around. I’m not sure what the repercussions are exactly but so far it appears to work.


--- /tmp/static.py      2017-07-05 
+++ homeassistant/components/http/static.py   2017-07-05 
@@ -23,8 +23,8 @@
             # PyLint is wrong about resolve not being a member.
             # pylint: disable=no-member
             filepath = self._directory.joinpath(filename).resolve()
-            if not self._follow_symlinks:
-                filepath.relative_to(self._directory)
+            #if not self._follow_symlinks:
+            #    filepath.relative_to(self._directory)
         except (ValueError, FileNotFoundError) as error:
             # relatively safe
             raise HTTPNotFound() from error

bodtx · May 30, 2019, 10:16am

I’ve tested and this working. The problem is this will be erased when upgrading HA

you can use python to serve file with a very little memory footprint (5MB)
launch this command in the directory you want to serve:

python -m SimpleHTTPServer 8000

https://docs.python.org/2/library/simplehttpserver.html

aa755 · July 4, 2020, 5:54pm

The following also works and may be more robust against changes in the underlying aiohttp library, because even that library is now instructed to follow symlinks

+++ ~/.local/lib/python3.8/site-packages/homeassistant/components/http/static.py
@@ -25,6 +25,7 @@ class CachingStaticResource(StaticResource):
                 # where the static dir is totally different
                 raise HTTPForbidden()
             filepath = self._directory.joinpath(filename).resolve()
+            self._follow_symlinks=True
             if not self._follow_symlinks:
                 filepath.relative_to(self._directory)

ColinRobbins · October 24, 2020, 3:08pm

I came across this issue too.
The fixes above are very temporary, and will get blown away on a HASS update.
I’ve made a pull request for a more permanent solution:

aa755 · February 17, 2021, 7:03pm

Thanks. Why did not not work out?

ColinRobbins · February 17, 2021, 7:19pm

On discussion with the HA team, it was considered a security risk.

emandt · July 19, 2024, 11:17am

Can an HA Server’s owner decide if an OPTIONAL feature is a security risk, or does someone-else (devs) have to choose it for him?

There are others configuration attributes (like “trusted_networks” or “allow_bypass_login”) that has been implemented even if risky…and those are well used from many ppl