From 3f4088edb48e8a4e3c66a5f8e7b2a78615fcb83f Mon Sep 17 00:00:00 2001
From: Francesc Campoy <campoy@golang.org>
Date: Tue, 20 Sep 2016 16:58:29 -0700
Subject: [PATCH] godoc: avoid exposing absolute paths on 404

Exposing the full paths to files is considered possible
source of vulnerabilities.

Change-Id: Ie9ae3791e51fcff5f1df711f84db9879d7e6ce37
Reviewed-on: https://go-review.googlesource.com/29445
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
---
 godoc/page.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/godoc/page.go b/godoc/page.go
index 79b1e196..ad59b169 100644
--- a/godoc/page.go
+++ b/godoc/page.go
@@ -6,6 +6,8 @@ package godoc
 
 import (
 	"net/http"
+	"os"
+	"path/filepath"
 	"runtime"
 )
 
@@ -36,6 +38,14 @@ func (p *Presentation) ServePage(w http.ResponseWriter, page Page) {
 
 func (p *Presentation) ServeError(w http.ResponseWriter, r *http.Request, relpath string, err error) {
 	w.WriteHeader(http.StatusNotFound)
+	if perr, ok := err.(*os.PathError); ok {
+		rel, err := filepath.Rel(runtime.GOROOT(), perr.Path)
+		if err != nil {
+			perr.Path = "REDACTED"
+		} else {
+			perr.Path = filepath.Join("$GOROOT", rel)
+		}
+	}
 	p.ServePage(w, Page{
 		Title:    "File " + relpath,
 		Subtitle: relpath,