diff options
| author |  Erik Dubbelboer <erik@dubbelboer.com>
| 2022-03-03 08:51:13 +0100 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2022-03-03 08:51:13 +0100 |
| commit | 15262ecf3c602364639d465daba1e7f3604d00e8 (patch) | |
| tree | 00f9e93a6eff3bedbb04262736dab39303af1f6f /server.go | |
| parent | Fix panic while reading invalid trailers (diff) | |
| download | fasthttp-15262ecf3c602364639d465daba1e7f3604d00e8.tar.gz fasthttp-15262ecf3c602364639d465daba1e7f3604d00e8.tar.bz2 fasthttp-15262ecf3c602364639d465daba1e7f3604d00e8.zip | |
Warn about unsafe ServeFile usage (#1228)
See: https://github.com/valyala/fasthttp/issues/1226
Diffstat (limited to 'server.go')
| -rw-r--r-- | server.go | 8 |
1 files changed, 8 insertions, 0 deletions
@@ -1338,6 +1338,10 @@ func (ctx *RequestCtx) ResetBody() { // SendFile logs all the errors via ctx.Logger. // // See also ServeFile, FSHandler and FS. +// +// WARNING: do not pass any user supplied paths to this function! +// WARNING: if path is based on user input users will be able to request +// any file on your filesystem! Use fasthttp.FS with a sane Root instead. func (ctx *RequestCtx) SendFile(path string) { ServeFile(ctx, path) } @@ -1349,6 +1353,10 @@ func (ctx *RequestCtx) SendFile(path string) { // SendFileBytes logs all the errors via ctx.Logger. // // See also ServeFileBytes, FSHandler and FS. +// +// WARNING: do not pass any user supplied paths to this function! +// WARNING: if path is based on user input users will be able to request +// any file on your filesystem! Use fasthttp.FS with a sane Root instead. func (ctx *RequestCtx) SendFileBytes(path []byte) { ServeFileBytes(ctx, path) } |