Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
net/http, security: http.FileServer may inadvertently expose sensitive directories #20759
This is not a hypothetical attack, one estimate found 9700 of the Alexa top 1 million sites expose the
I am wondering whether the Go standard library should do anything to help prevent these inadvertent directory exposures. Our hands are slightly tied by the current API, which exposes everything and can't change.
referenced this issue
Aug 8, 2017
I recently wrote a blog post on how to create a file server that both hides and denies access to dot files (post).
I am willing to write this documentation (and an example_test.go for the net/http package). Can someone point me in the right direction as to where the documentation for this issue should be written? Also, I would like to know how the example_test.go files work and if there are any standards when writing one.
Any help would be gladly appreciated! Thanks!
Hey @crazcalm, we met at the NYC meetup. Good to see you again.
Was there something specific you wanted to add to the documentation? The comment on Dir seems pretty clear to me.
I've never written an example, but the final code snippet in the blog post looks like a pretty good start to me. It might be nice if it included some sample output, but that would require a fair bit of setup. Feel free to send me the CL to me for a first review if you'd like.
Hey @heschik! Nice to see you again!
I agree that the comment on http.Dir seems pretty clear.
In terms of the example, after reading the godoc post, I have a fairly good idea of how to go about writing the example. However, I am having trouble thinking of a reasonable way to add sample output. Given that the sample out will be checked against the actual output, we would need a directory to have dot files and to be static in nature.
Unless the example is not of hiding dot files and is of a different type of filter. For example, if I filter go/src to only allow items that begin with "c" to be shown, then the output would be relatively static. However, finding the path to every user's go/src directory would be a new problem that the example would have to solve.
Is the sample output worth the added complications? Thoughts?
@heschik How should I go about sending you the CL? And what does CL stand for (I am currently interpreting it as Pull Request, but I not sure that I am right)?