diff options
author | Erik Dubbelboer <erik@dubbelboer.com> | 2022-03-03 08:51:13 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-03-03 08:51:13 +0100 |
commit | 15262ecf3c602364639d465daba1e7f3604d00e8 (patch) | |
tree | 00f9e93a6eff3bedbb04262736dab39303af1f6f /fs.go | |
parent | Fix panic while reading invalid trailers (diff) | |
download | fasthttp-15262ecf3c602364639d465daba1e7f3604d00e8.tar.gz fasthttp-15262ecf3c602364639d465daba1e7f3604d00e8.tar.bz2 fasthttp-15262ecf3c602364639d465daba1e7f3604d00e8.zip |
Warn about unsafe ServeFile usage (#1228)
See: https://github.com/valyala/fasthttp/issues/1226
Diffstat (limited to 'fs.go')
-rw-r--r-- | fs.go | 16 |
1 files changed, 16 insertions, 0 deletions
@@ -30,6 +30,10 @@ import ( // with good compression ratio. // // See also RequestCtx.SendFileBytes. +// +// WARNING: do not pass any user supplied paths to this function! +// WARNING: if path is based on user input users will be able to request +// any file on your filesystem! Use fasthttp.FS with a sane Root instead. func ServeFileBytesUncompressed(ctx *RequestCtx, path []byte) { ServeFileUncompressed(ctx, b2s(path)) } @@ -43,6 +47,10 @@ func ServeFileBytesUncompressed(ctx *RequestCtx, path []byte) { // with good compression ratio. // // See also RequestCtx.SendFile. +// +// WARNING: do not pass any user supplied paths to this function! +// WARNING: if path is based on user input users will be able to request +// any file on your filesystem! Use fasthttp.FS with a sane Root instead. func ServeFileUncompressed(ctx *RequestCtx, path string) { ctx.Request.Header.DelBytes(strAcceptEncoding) ServeFile(ctx, path) @@ -62,6 +70,10 @@ func ServeFileUncompressed(ctx *RequestCtx, path string) { // file contents. // // See also RequestCtx.SendFileBytes. +// +// WARNING: do not pass any user supplied paths to this function! +// WARNING: if path is based on user input users will be able to request +// any file on your filesystem! Use fasthttp.FS with a sane Root instead. func ServeFileBytes(ctx *RequestCtx, path []byte) { ServeFile(ctx, b2s(path)) } @@ -79,6 +91,10 @@ func ServeFileBytes(ctx *RequestCtx, path []byte) { // Use ServeFileUncompressed is you don't need serving compressed file contents. // // See also RequestCtx.SendFile. +// +// WARNING: do not pass any user supplied paths to this function! +// WARNING: if path is based on user input users will be able to request +// any file on your filesystem! Use fasthttp.FS with a sane Root instead. func ServeFile(ctx *RequestCtx, path string) { rootFSOnce.Do(func() { rootFSHandler = rootFS.NewRequestHandler() |