Does Go clear URLs for web requests?

Question

Does Go clear URLs for web requests?

I implemented a simple web server in Go. Since I have no experience in web development, this was a serious question for me.

Say I'm serving webpages with a modified function loadPagefrom here

func loadPage(title string) []byte {
    filename := title 
    body, _ := ioutil.ReadFile(filename)
    return body
}

func handler(w http.ResponseWriter, req *http.Request) {
    content := loadPage(req.URL.Path[1:])
    fmt.Fprintf(w, "%s", content)
}

Technically, this allows me to write a query in the form

 http://example.com/../../etc/passwd

and the code will gladly serve the / etc / passwd file, but it is not. Does this mean that there is some protection against ../the Go HTTP package or the HTTP protocol, or am I just doing something wrong and is this a security hole?

+4

go web

UldisK Apr 25 '14 at 6:09

source share

1 answer

Ashe · Accepted Answer · 2014-04-25T06:25:50+0000

net/httpdoes this in its HTTP request multiplexer ServeMux:

ServeMux URL-, . .. .- ..- URL.

private func cleanPath(p string) string, path.Clean:

1415        np := path.Clean(p)

path.Clean :

 97         case path[r] == '.' && path[r+1] == '.' && (r+2 == n || path[r+2] == '/'):
 98             // .. element: remove to last /
 99             r += 2
100             switch {
101             case out.w > dotdot:
102                 // can backtrack
103                 out.w--
104                 for out.w > dotdot && out.index(out.w) != '/' {
105                     out.w--
106                 }

, , cleanPath , , , .

Does Go clear URLs for web requests?

More articles: