close_issue_1
/
tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

godoc: avoid exposing absolute paths on 404 

Exposing the full paths to files is considered possible
source of vulnerabilities.

Change-Id: Ie9ae3791e51fcff5f1df711f84db9879d7e6ce37
Reviewed-on: https://go-review.googlesource.com/29445
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
This commit is contained in:
Francesc Campoy 2016-09-20 16:58:29 -07:00 committed by Francesc Campoy Flores
parent f1a397bba5
commit 3f4088edb4
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
godoc/page.go
View File

@ -6,6 +6,8 @@ package godoc
import ( import (
"net/http" "net/http"
"os"
"path/filepath"
"runtime" "runtime"
) )
@ -36,6 +38,14 @@ func (p *Presentation) ServePage(w http.ResponseWriter, page Page) {
func (p *Presentation) ServeError(w http.ResponseWriter, r *http.Request, relpath string, err error) { func (p *Presentation) ServeError(w http.ResponseWriter, r *http.Request, relpath string, err error) {
w.WriteHeader(http.StatusNotFound) w.WriteHeader(http.StatusNotFound)
if perr, ok := err.(*os.PathError); ok {
rel, err := filepath.Rel(runtime.GOROOT(), perr.Path)
if err != nil {
perr.Path = "REDACTED"
} else {
perr.Path = filepath.Join("$GOROOT", rel)
}
}
p.ServePage(w, Page{ p.ServePage(w, Page{
Title: "File " + relpath, Title: "File " + relpath,
Subtitle: relpath, Subtitle: relpath,