From 264820e3e8227c96775da7c439e114c4ed7c41b7 Mon Sep 17 00:00:00 2001
From: Matthew Holt <Matthew.Holt+git@gmail.com>
Date: Mon, 27 Apr 2015 22:27:34 -0600
Subject: [PATCH] Fixed config file leak, but new todo item

---
 server/fileserver.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/server/fileserver.go b/server/fileserver.go
index 92e59602..77c5d4a8 100644
--- a/server/fileserver.go
+++ b/server/fileserver.go
@@ -99,7 +99,13 @@ func (fh *fileHandler) serveFile(w http.ResponseWriter, r *http.Request, name st
 	// If the file is supposed to be hidden, return a 404
 	// (TODO: If the slice gets large, a set may be faster)
 	for _, hiddenPath := range fh.hide {
-		if d.Name() == hiddenPath {
+		// Case-insensitive file systems may have loaded "CaddyFile" when
+		// we think we got "Caddyfile", which poses a security risk if we
+		// aren't careful here: case-insensitive comparison is required!
+		// TODO: This matches file NAME only, regardless of path. In other
+		// words, trying to serve another file with the same name as the
+		// active config file will result in a 404 when it shouldn't.
+		if strings.EqualFold(d.Name(), path.Base(hiddenPath)) {
 			return http.StatusNotFound, nil
 		}
 	}