Public Service Announcement - smolver Security Hole!

I have found a security defect in v1.1.0 or later in smolver: if you have client certificate authentication configured, client certificates (.pem files) could potentially be served if a URL request for the file is received. This is worsened by the fact that per-directory config files, .smol.json files, which may contain authentication configuration data, are also serveable in the same manner.

There are some caveats here:

These .pem files should only be serveable if they live in a directory marked as `staticContent` in your main config.json file.

Depending on your configuration, the .pem files may be serveable publicly, or only to those who present an expected client certificate.

There are several variables at play here, especially in the second bullet point, but the takeaway is that if you are running smolver with authentication configured, please disable authentication until this is fixed.