Skip to content

net/http: document filepath sanitization for ServeFile #18837

Closed
@FlorianUekermann

Description

@FlorianUekermann

This is a petty formulation issue, but the subject is quite sensitive so I thought I would bring it up. The documentation for http.ServeFile(w ResponseWriter, r *Request, name string) states that name needs to be sanitized to prevent ascension into parent directories. It further states that ServeFile rejects requests that contain ".." as path elements.

I assume the implication of both statements combined is that patterns like

http.ServeFile(w, r, filepath.Join(".", r.URL.Path))
http.ServeFile(w, r, filepath.Join("dir", r.URL.Path))

are "safe" in the sense that ascension into the respective parent directories is not possible.
However this is not obvious from the current documentation as there may more obscure ways of ascending than ".." that are less obvious (I am honestly not sure).

Imo it would be a good idea to state explicitly whether the file path in the above patterns is sufficiently sanitized or not because I see only two scenarios:
-If the patterns above are not safe the current documentation may cause security problems
-If the patterns are safe some users won't take advantage of this great function because it is not explicitly stated (this is me right now).

Metadata

Metadata

Assignees

No one assigned

    Labels

    DocumentationIssues describing a change to documentation.FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.Securityhelp wanted

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions