Restrain public files to the public/ folder

As raised by Adriaan (@agboom), the .github-user-tokens.json file was incorrectly exposed, causing the risk of users' GitHub tokens to be used by other entities for the purpose of increasing their rate limits by pretending to be shields.io.
hoopsomuah · Feb 5, 2017 · 6258968 · 6258968
1 parent 8272913
commit 6258968
Show file tree

Hide file tree

Showing 7 changed files with 6 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -1,5 +1,5 @@
 <p align="center">
-    <img src="https://rawgit.com/badges/shields/master/logo.svg"
+    <img src="https://rawgit.com/badges/shields/master/public/logo.svg"
          height="130">
 </p>
 <p align="center">

diff --git a/404.html → public/404.html b/404.html → public/404.html
diff --git a/public/favicon.png b/public/favicon.png
@@ -0,0 +1 @@
+../favicon.png
diff --git a/public/index.html b/public/index.html
@@ -0,0 +1 @@
+../index.html
diff --git a/logo.svg → public/logo.svg b/logo.svg → public/logo.svg
diff --git a/public/try.html b/public/try.html
@@ -0,0 +1 @@
+../try.html
diff --git a/server.js b/server.js
@@ -3,9 +3,10 @@ var serverPort = +process.env.PORT || +process.argv[2] || (secureServer? 443: 80
 var bindAddress = process.env.BIND_ADDRESS || process.argv[3] || '::';
 var infoSite = process.env.INFOSITE || "http://shields.io";
 var githubApiUrl = process.env.GITHUB_URL || 'https://api.github.com';
+var path = require('path');
 var Camp = require('camp');
 var camp = Camp.start({
-  documentRoot: __dirname,
+  documentRoot: path.join(__dirname, 'public'),
   port: serverPort,
   hostname: bindAddress,
   secure: secureServer