Merge branch 'pages-gz-symlink-0.4.4' into '0-4-stable'v0.4.4 0-4-stable

Don't serve statically-compiled `.gz` files that are symlinks (v0.4.4) See merge request gitlab/gitlab-pages!2
author: Nick Thomas <nick@gitlab.com> 2017-08-29 16:29:58 +0300
committer: Nick Thomas <nick@gitlab.com> 2017-08-29 16:29:58 +0300
commit: 36f16fdf8b02854e1693a7986d167157f03646d4 (patch)
tree: 8d2827aad3d201db2e14bcdd71a74436611de970
parent: 34a68fc5297982c62c5b3947be84555fe3a99dc3 (diff)
parent: 5f15bedf87e3f2b34331c9a57cd8ec809cc26e16 (diff)
6 files changed, 10 insertions, 5 deletions
diff --git a/CHANGELOG b/CHANGELOG
index 77e97212..4c429f83 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,6 @@
+v 0.4.4
+- Don't serve statically-compiled `.gz` files that are symlinks
+
 v 0.4.3
 - Fix domain lookups when Pages is exposed on non-default ports
 
diff --git a/VERSION b/VERSION
index 17b2ccd9..6f2743d6 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-0.4.3
+0.4.4
diff --git a/domain.go b/domain.go
index 8af0e394..4b974806 100644
--- a/domain.go
+++ b/domain.go
@@ -35,8 +35,7 @@ func acceptsGZip(r *http.Request) bool {
 func (d *domain) serveFile(w http.ResponseWriter, r *http.Request, fullPath string) error {
 	// Open and serve content of file
 	if acceptsGZip(r) {
-		_, err := os.Stat(fullPath + ".gz")
-		if err == nil {
+		if fi, err := os.Lstat(fullPath + ".gz"); err == nil && fi.Mode().IsRegular() {
 			// Set the content type based on the non-gzipped extension
 			_, haveType := w.Header()["Content-Type"]
 			if !haveType {
@@ -70,8 +69,7 @@ func (d *domain) serveCustomFile(w http.ResponseWriter, r *http.Request, code in
 	// Open and serve content of file
 	ext := filepath.Ext(fullPath)
 	if acceptsGZip(r) {
-		_, err := os.Stat(fullPath + ".gz")
-		if err == nil {
+		if fi, err := os.Lstat(fullPath + ".gz"); err == nil && fi.Mode().IsRegular() {
 			// Serve up the gzipped version
 			fullPath += ".gz"
 			w.Header().Set("Content-Encoding", "gzip")
diff --git a/domain_test.go b/domain_test.go
index b4879ee0..6ca1424f 100644
--- a/domain_test.go
+++ b/domain_test.go
@@ -121,6 +121,8 @@ func TestGroupServeHTTPGzip(t *testing.T) {
 		{"GET", "http://group.test.io/", nil, ";; gzip", "main-dir", false},
 		{"GET", "http://group.test.io/", nil, "middle-out", "main-dir", false},
 		{"GET", "http://group.test.io/", nil, "gzip; quality=1", "main-dir", false},
+		// Symlinked .gz files are not supported
+		{"GET", "http://group.test.io/gz-symlink", nil, "*", "data", false},
 	}
 
 	for _, tt := range testSet {
diff --git a/shared/pages/group/group.test.io/public/gz-symlink b/shared/pages/group/group.test.io/public/gz-symlink
new file mode 100644
index 00000000..6320cd24
--- /dev/null
+++ b/shared/pages/group/group.test.io/public/gz-symlink
@@ -0,0 +1 @@
+data
+\ No newline at end of file
diff --git a/shared/pages/group/group.test.io/public/gz-symlink.gz b/shared/pages/group/group.test.io/public/gz-symlink.gz
new file mode 120000
index 00000000..28e14853
--- /dev/null
+++ b/shared/pages/group/group.test.io/public/gz-symlink.gz
@@ -0,0 +1 @@
+../config.json
+\ No newline at end of file
author	Nick Thomas <nick@gitlab.com>	2017-08-29 16:29:58 +0300
committer	Nick Thomas <nick@gitlab.com>	2017-08-29 16:29:58 +0300
commit	36f16fdf8b02854e1693a7986d167157f03646d4 (patch)
tree	8d2827aad3d201db2e14bcdd71a74436611de970
parent	34a68fc5297982c62c5b3947be84555fe3a99dc3 (diff)
parent	5f15bedf87e3f2b34331c9a57cd8ec809cc26e16 (diff)