Warn about unsafe ServeFile usage (#1228)

See: https://github.com/valyala/fasthttp/issues/1226
author: Erik Dubbelboer <erik@dubbelboer.com> 2022-03-03 08:51:13 +0100
committer: GitHub <noreply@github.com> 2022-03-03 08:51:13 +0100
commit: 15262ecf3c602364639d465daba1e7f3604d00e8 (patch)
tree: 00f9e93a6eff3bedbb04262736dab39303af1f6f /fs.go
parent: Fix panic while reading invalid trailers (diff)
download: fasthttp-15262ecf3c602364639d465daba1e7f3604d00e8.tar.gz
fasthttp-15262ecf3c602364639d465daba1e7f3604d00e8.tar.bz2
fasthttp-15262ecf3c602364639d465daba1e7f3604d00e8.zip
1 files changed, 16 insertions, 0 deletions
diff --git a/fs.go b/fs.go
index 257f066..72c832a 100644
--- a/fs.go
+++ b/fs.go
@@ -30,6 +30,10 @@ import (
 // with good compression ratio.
 //
 // See also RequestCtx.SendFileBytes.
+//
+// WARNING: do not pass any user supplied paths to this function!
+// WARNING: if path is based on user input users will be able to request
+// any file on your filesystem! Use fasthttp.FS with a sane Root instead.
 func ServeFileBytesUncompressed(ctx *RequestCtx, path []byte) {
 	ServeFileUncompressed(ctx, b2s(path))
 }
@@ -43,6 +47,10 @@ func ServeFileBytesUncompressed(ctx *RequestCtx, path []byte) {
 // with good compression ratio.
 //
 // See also RequestCtx.SendFile.
+//
+// WARNING: do not pass any user supplied paths to this function!
+// WARNING: if path is based on user input users will be able to request
+// any file on your filesystem! Use fasthttp.FS with a sane Root instead.
 func ServeFileUncompressed(ctx *RequestCtx, path string) {
 	ctx.Request.Header.DelBytes(strAcceptEncoding)
 	ServeFile(ctx, path)
@@ -62,6 +70,10 @@ func ServeFileUncompressed(ctx *RequestCtx, path string) {
 // file contents.
 //
 // See also RequestCtx.SendFileBytes.
+//
+// WARNING: do not pass any user supplied paths to this function!
+// WARNING: if path is based on user input users will be able to request
+// any file on your filesystem! Use fasthttp.FS with a sane Root instead.
 func ServeFileBytes(ctx *RequestCtx, path []byte) {
 	ServeFile(ctx, b2s(path))
 }
@@ -79,6 +91,10 @@ func ServeFileBytes(ctx *RequestCtx, path []byte) {
 // Use ServeFileUncompressed is you don't need serving compressed file contents.
 //
 // See also RequestCtx.SendFile.
+//
+// WARNING: do not pass any user supplied paths to this function!
+// WARNING: if path is based on user input users will be able to request
+// any file on your filesystem! Use fasthttp.FS with a sane Root instead.
 func ServeFile(ctx *RequestCtx, path string) {
 	rootFSOnce.Do(func() {
 		rootFSHandler = rootFS.NewRequestHandler()
author	Erik Dubbelboer <erik@dubbelboer.com>	2022-03-03 08:51:13 +0100
committer	GitHub <noreply@github.com>	2022-03-03 08:51:13 +0100
commit	15262ecf3c602364639d465daba1e7f3604d00e8 (patch)
tree	00f9e93a6eff3bedbb04262736dab39303af1f6f /fs.go
parent	Fix panic while reading invalid trailers (diff)
download	fasthttp-15262ecf3c602364639d465daba1e7f3604d00e8.tar.gz fasthttp-15262ecf3c602364639d465daba1e7f3604d00e8.tar.bz2 fasthttp-15262ecf3c602364639d465daba1e7f3604d00e8.zip