Add disclaimer about path trasversal

Former-commit-id: b5be8beba4be0dd54dca763404d7c016ed1b82fb [formerly 5c9091743b1dcb5feb7c344668dd90a6f06c46bc] [formerly 008c8b1fd0898398ed2eafa15ec1b4b77d339ca6 [formerly fc02e7ef57]]
Former-commit-id: 96701a45bd218c70002b1c5b3298703cbf18f9a5 [formerly 8ff492e7cb61e5946eaf6332496e1af1575c360d]
Former-commit-id: 64a1d5238ffe16acbbf8cf5fe9b2825759658194
pull/726/head
Henrique Dias 2017-07-26 09:22:15 +01:00
parent 3263f85638
commit ed6ba12a85
1 changed files with 6 additions and 0 deletions

View File

@ -12,6 +12,12 @@ import (
"strings"
)
// DISCLAIMER: this doesn't sanitize the target path so some may think
// that path trasversal would be possible and the user could change files
// outside of their scope. The User.FileSystem variable is of type webdav.Dir
// which does those checks so this package doesn't need to do them.
// https://github.com/golang/net/blob/master/webdav/file.go#L68
func resourceHandler(c *RequestContext, w http.ResponseWriter, r *http.Request) (int, error) {
switch r.Method {
case http.MethodGet: