From: Andrew Ekstedt Date: Fri, 24 Jul 2020 19:48:30 +0000 (-0700) Subject: path,path/filepath: add Join examples with ".." components X-Git-Tag: go1.16beta1~1276 X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=98a0071a5363e307c2e284034f810378de3883dd;p=gostls13.git path,path/filepath: add Join examples with ".." components People sometimes expect Join to trim .. components from its arguments before joining, and are surprised that it doesn't. This is bad if they were relying on that assumed behaviour to prevent directory traversal attacks. While a careful reading of the documentation for Join and Clean might dispel this notion, it is not obvious at first glance. Add a case to the examples to nudge people in the right direction. Updates #40373 Change-Id: Ib5792c12ba1000811a0c0eb77048196d0b26da60 Reviewed-on: https://go-review.googlesource.com/c/go/+/249177 Run-TryBot: Ian Lance Taylor Reviewed-by: Ian Lance Taylor Reviewed-by: Rob Pike --- diff --git a/src/path/example_test.go b/src/path/example_test.go index 67b9718664..e30ebd13dc 100644 --- a/src/path/example_test.go +++ b/src/path/example_test.go @@ -79,13 +79,18 @@ func ExampleJoin() { fmt.Println(path.Join("a", "b", "c")) fmt.Println(path.Join("a", "b/c")) fmt.Println(path.Join("a/b", "c")) + + fmt.Println(path.Join("a/b", "../../../xyz")) + fmt.Println(path.Join("", "")) fmt.Println(path.Join("a", "")) fmt.Println(path.Join("", "a")) + // Output: // a/b/c // a/b/c // a/b/c + // ../xyz // // a // a diff --git a/src/path/filepath/example_unix_test.go b/src/path/filepath/example_unix_test.go index 23f21380d0..c9d6944518 100644 --- a/src/path/filepath/example_unix_test.go +++ b/src/path/filepath/example_unix_test.go @@ -72,12 +72,16 @@ func ExampleJoin() { fmt.Println(filepath.Join("a", "b/c")) fmt.Println(filepath.Join("a/b", "c")) fmt.Println(filepath.Join("a/b", "/c")) + + fmt.Println(filepath.Join("a/b", "../../../xyz")) + // Output: // On Unix: // a/b/c // a/b/c // a/b/c // a/b/c + // ../xyz } func ExampleMatch() {