Add disclaimer about path trasversal
Former-commit-id: b5be8beba4be0dd54dca763404d7c016ed1b82fb [formerly 5c9091743b1dcb5feb7c344668dd90a6f06c46bc] [formerly 008c8b1fd0898398ed2eafa15ec1b4b77d339ca6 [formerly fc02e7ef57
]]
Former-commit-id: 96701a45bd218c70002b1c5b3298703cbf18f9a5 [formerly 8ff492e7cb61e5946eaf6332496e1af1575c360d]
Former-commit-id: 64a1d5238ffe16acbbf8cf5fe9b2825759658194
pull/726/head
parent
3263f85638
commit
ed6ba12a85
|
@ -12,6 +12,12 @@ import (
|
|||
"strings"
|
||||
)
|
||||
|
||||
// DISCLAIMER: this doesn't sanitize the target path so some may think
|
||||
// that path trasversal would be possible and the user could change files
|
||||
// outside of their scope. The User.FileSystem variable is of type webdav.Dir
|
||||
// which does those checks so this package doesn't need to do them.
|
||||
// https://github.com/golang/net/blob/master/webdav/file.go#L68
|
||||
|
||||
func resourceHandler(c *RequestContext, w http.ResponseWriter, r *http.Request) (int, error) {
|
||||
switch r.Method {
|
||||
case http.MethodGet:
|
||||
|
|
Loading…
Reference in New Issue