Infrastructure/caddy
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2024-12-23 22:27:38 -05:00
Code Issues Activity

Fixed config file leak, but new todo item

Browse source
This commit is contained in:
Matthew Holt 2015-04-27 22:27:34 -06:00
parent 979041a072
commit 264820e3e8
1 changed files with 7 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
server/fileserver.go
View file

@ -99,7 +99,13 @@ func (fh *fileHandler) serveFile(w http.ResponseWriter, r *http.Request, name st
// If the file is supposed to be hidden, return a 404 // If the file is supposed to be hidden, return a 404
// (TODO: If the slice gets large, a set may be faster) // (TODO: If the slice gets large, a set may be faster)
for _, hiddenPath := range fh.hide { for _, hiddenPath := range fh.hide {
if d.Name() == hiddenPath { // Case-insensitive file systems may have loaded "CaddyFile" when
// we think we got "Caddyfile", which poses a security risk if we
// aren't careful here: case-insensitive comparison is required!
// TODO: This matches file NAME only, regardless of path. In other
// words, trying to serve another file with the same name as the
// active config file will result in a 404 when it shouldn't.
if strings.EqualFold(d.Name(), path.Base(hiddenPath)) {
return http.StatusNotFound, nil return http.StatusNotFound, nil
} }
} }