sqlpage · lovasoa · Jun 10, 2026 · Jun 10, 2026 · Jun 10, 2026
diff --git a/SECURITY.md b/SECURITY.md
@@ -129,6 +129,11 @@ SQLPage vulnerabilities:
 - An operator intentionally changes configuration to expose files, trust a
   different database, make an OIDC path public, weaken CSP, enable dangerous
   Markdown options, load SQLite extensions, or enable `allow_exec`.
+- A symlink placed under `web_root` exposes its target. SQLPage follows
+  symlinks during static file serving, so operators must not create symlinks
+  under `web_root` that point to reserved or private files, such as the
+  `sqlpage/` configuration directory or dotfiles, or to files outside
+  `web_root`, since those targets would then be publicly reachable over HTTP.
 - An attacker can modify SQL files, templates, configuration, environment
   variables, migrations, database code, or `sqlpage_files`.
 - The configured database role has broader permissions than the application

diff --git a/configuration.md b/configuration.md
@@ -20,7 +20,7 @@ Here are the available configuration options and their default values:
 | `database_connection_retries`                 | 6                                                           | Database connection attempts before giving up. Retries will happen every 5 seconds.                                                                                                                                                                    |
 | `database_connection_acquire_timeout_seconds` | 10                                                          | How long to wait when acquiring a database connection from the pool before giving up and returning an error.                                                                                                                                           |
 | `sqlite_extensions`                           |                                                             | An array of SQLite extensions to load, such as `mod_spatialite`                                                                                                                                                                                        |
-| `web_root`                                    | `.`                                                         | The root directory of the web server, where the `index.sql` file is located.                                                                                                                                                                           |
+| `web_root`                                    | `.`                                                         | The root directory of the web server, where the `index.sql` file is located. Static file serving follows symlinks, so do not place symlinks under `web_root` that point to private paths (such as the `sqlpage/` config directory) or to files outside `web_root`, as their targets would become publicly reachable (see [`SECURITY.md`](./SECURITY.md)).                                                                                                                                                                          |
 | `site_prefix`                                 | `/`                                                         | Base path of the site. If you want to host SQLPage at `https://example.com/sqlpage/`, set this to `/sqlpage/`. When using a reverse proxy, this allows hosting SQLPage together with other applications on the same subdomain. |
 | `configuration_directory`                     | `./sqlpage/`                                                | The directory where the `sqlpage.json` file is located. This is used to find the path to [`templates/`](https://sql-page.com/custom_components.sql), [`migrations/`](https://sql-page.com/your-first-sql-website/migrations.sql), and `on_connect.sql`. Obviously, this configuration parameter can be set only through environment variables, not through the `sqlpage.json` file itself in order to find the `sqlpage.json` file. Be careful not to use a path that is accessible from the public WEB_ROOT |
 | `allow_exec`                                  | false                                                       | Allow usage of the `sqlpage.exec` function. Do this only if all users with write access to sqlpage query files and to the optional `sqlpage_files` table on the database are trusted.                                                                  |