From 902fc114272978a40d2e65c2510a18e870077559 Mon Sep 17 00:00:00 2001 From: Brad Fitzpatrick Date: Wed, 25 Jul 2018 18:19:51 +0000 Subject: [PATCH] net/http: try to document ServeFile security more We've expanded this several times. Try more. Fixes #18837 Change-Id: I03b699391351a30ee60a15d7aa712c6c66444cf9 Reviewed-on: https://go-review.googlesource.com/125875 Reviewed-by: Ian Lance Taylor --- src/net/http/fs.go | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/src/net/http/fs.go b/src/net/http/fs.go index 774c5e564b..db44d6b029 100644 --- a/src/net/http/fs.go +++ b/src/net/http/fs.go @@ -650,15 +650,23 @@ func localRedirect(w ResponseWriter, r *Request, newPath string) { // file or directory. // // If the provided file or directory name is a relative path, it is -// interpreted relative to the current directory and may ascend to parent -// directories. If the provided name is constructed from user input, it -// should be sanitized before calling ServeFile. As a precaution, ServeFile -// will reject requests where r.URL.Path contains a ".." path element. +// interpreted relative to the current directory and may ascend to +// parent directories. If the provided name is constructed from user +// input, it should be sanitized before calling ServeFile. // -// As a special case, ServeFile redirects any request where r.URL.Path +// As a precaution, ServeFile will reject requests where r.URL.Path +// contains a ".." path element; this protects against callers who +// might unsafely use filepath.Join on r.URL.Path without sanitizing +// it and then use that filepath.Join result as the name argument. +// +// As another special case, ServeFile redirects any request where r.URL.Path // ends in "/index.html" to the same path, without the final // "index.html". To avoid such redirects either modify the path or // use ServeContent. +// +// Outside of those two special cases, ServeFile does not use +// r.URL.Path for selecting the file or directory to serve; only the +// file or directory provided in the name argument is used. func ServeFile(w ResponseWriter, r *Request, name string) { if containsDotDot(r.URL.Path) { // Too many programs use r.URL.Path to construct the argument to -- 2.50.0