github
/
filebrowser
mirror of https://github.com/filebrowser/filebrowser
1
0
Fork 0
Code Issues Releases Wiki Activity

Add disclaimer about path trasversal

pull/160/head
Henrique Dias 2017-07-26 09:22:15 +01:00
parent 42521f721c
commit fc02e7ef57
No known key found for this signature in database
GPG Key ID: 936F5EB68D786730
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
resource.go
View File

@ -12,6 +12,12 @@ import (
"strings" "strings"
) )
// DISCLAIMER: this doesn't sanitize the target path so some may think
// that path trasversal would be possible and the user could change files
// outside of their scope. The User.FileSystem variable is of type webdav.Dir
// which does those checks so this package doesn't need to do them.
// https://github.com/golang/net/blob/master/webdav/file.go#L68
func resourceHandler(c *RequestContext, w http.ResponseWriter, r *http.Request) (int, error) { func resourceHandler(c *RequestContext, w http.ResponseWriter, r *http.Request) (int, error) {
switch r.Method { switch r.Method {
case http.MethodGet: case http.MethodGet: