Restrain public files to the public/ folder

As raised by Adriaan (@agboom), the .github-user-tokens.json file was incorrectly exposed, causing the risk of users' GitHub tokens to be used by other entities for the purpose of increasing their rate limits by pretending to be shields.io.
2017-02-05 13:40:06 +01:00
parent 8272913d5e
commit 6258968d66
7 changed files with 6 additions and 2 deletions
--- a/README.md
+++ b/README.md
@@ -1,5 +1,5 @@
 <p align="center">
-    <img src="https://rawgit.com/badges/shields/master/logo.svg"
+    <img src="https://rawgit.com/badges/shields/master/public/logo.svg"
         height="130">
 </p>
 <p align="center">
--- a/public/404.html
+++ b/public/404.html
--- a/public/favicon.png
+++ b/public/favicon.png
@@ -0,0 +1 @@
+../favicon.png
--- a/public/index.html
+++ b/public/index.html
@@ -0,0 +1 @@
+../index.html
--- a/public/logo.svg
+++ b/public/logo.svg
--- a/public/try.html
+++ b/public/try.html
@@ -0,0 +1 @@
+../try.html
--- a/server.js
+++ b/server.js
@@ -3,9 +3,10 @@ var serverPort = +process.env.PORT || +process.argv[2] || (secureServer? 443: 80
 var bindAddress = process.env.BIND_ADDRESS || process.argv[3] || '::';
 var infoSite = process.env.INFOSITE || "http://shields.io";
 var githubApiUrl = process.env.GITHUB_URL || 'https://api.github.com';
+var path = require('path');
 var Camp = require('camp');
 var camp = Camp.start({
-  documentRoot: __dirname,
+  documentRoot: path.join(__dirname, 'public'),
  port: serverPort,
  hostname: bindAddress,
  secure: secureServer