Skip to content

Commit 15262ec

Browse files
erikdubbelboererikdubbelboer
authored
Warn about unsafe ServeFile usage (#1228)
See: #1226
1 parent 1116d03 commit 15262ec

2 files changed

Lines changed: 24 additions & 0 deletions

File tree

fs.go

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,10 @@ import (
3030
// with good compression ratio.
3131
//
3232
// See also RequestCtx.SendFileBytes.
33+
//
34+
// WARNING: do not pass any user supplied paths to this function!
35+
// WARNING: if path is based on user input users will be able to request
36+
// any file on your filesystem! Use fasthttp.FS with a sane Root instead.
3337
func ServeFileBytesUncompressed(ctx *RequestCtx, path []byte) {
3438
ServeFileUncompressed(ctx, b2s(path))
3539
}
@@ -43,6 +47,10 @@ func ServeFileBytesUncompressed(ctx *RequestCtx, path []byte) {
4347
// with good compression ratio.
4448
//
4549
// See also RequestCtx.SendFile.
50+
//
51+
// WARNING: do not pass any user supplied paths to this function!
52+
// WARNING: if path is based on user input users will be able to request
53+
// any file on your filesystem! Use fasthttp.FS with a sane Root instead.
4654
func ServeFileUncompressed(ctx *RequestCtx, path string) {
4755
ctx.Request.Header.DelBytes(strAcceptEncoding)
4856
ServeFile(ctx, path)
@@ -62,6 +70,10 @@ func ServeFileUncompressed(ctx *RequestCtx, path string) {
6270
// file contents.
6371
//
6472
// See also RequestCtx.SendFileBytes.
73+
//
74+
// WARNING: do not pass any user supplied paths to this function!
75+
// WARNING: if path is based on user input users will be able to request
76+
// any file on your filesystem! Use fasthttp.FS with a sane Root instead.
6577
func ServeFileBytes(ctx *RequestCtx, path []byte) {
6678
ServeFile(ctx, b2s(path))
6779
}
@@ -79,6 +91,10 @@ func ServeFileBytes(ctx *RequestCtx, path []byte) {
7991
// Use ServeFileUncompressed is you don't need serving compressed file contents.
8092
//
8193
// See also RequestCtx.SendFile.
94+
//
95+
// WARNING: do not pass any user supplied paths to this function!
96+
// WARNING: if path is based on user input users will be able to request
97+
// any file on your filesystem! Use fasthttp.FS with a sane Root instead.
8298
func ServeFile(ctx *RequestCtx, path string) {
8399
rootFSOnce.Do(func() {
84100
rootFSHandler = rootFS.NewRequestHandler()

server.go

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1338,6 +1338,10 @@ func (ctx *RequestCtx) ResetBody() {
13381338
// SendFile logs all the errors via ctx.Logger.
13391339
//
13401340
// See also ServeFile, FSHandler and FS.
1341+
//
1342+
// WARNING: do not pass any user supplied paths to this function!
1343+
// WARNING: if path is based on user input users will be able to request
1344+
// any file on your filesystem! Use fasthttp.FS with a sane Root instead.
13411345
func (ctx *RequestCtx) SendFile(path string) {
13421346
ServeFile(ctx, path)
13431347
}
@@ -1349,6 +1353,10 @@ func (ctx *RequestCtx) SendFile(path string) {
13491353
// SendFileBytes logs all the errors via ctx.Logger.
13501354
//
13511355
// See also ServeFileBytes, FSHandler and FS.
1356+
//
1357+
// WARNING: do not pass any user supplied paths to this function!
1358+
// WARNING: if path is based on user input users will be able to request
1359+
// any file on your filesystem! Use fasthttp.FS with a sane Root instead.
13521360
func (ctx *RequestCtx) SendFileBytes(path []byte) {
13531361
ServeFileBytes(ctx, path)
13541362
}

0 commit comments

Comments
 (0)