Merge branch 'pages-gz-symlink-0.5.1' into 'master'v0.5.1

Don't serve statically-compiled `.gz` files that are symlinks (v0.5.1) See merge request gitlab/gitlab-pages!1
author: Nick Thomas <nick@gitlab.com> 2017-08-29 16:30:02 +0300
committer: Nick Thomas <nick@gitlab.com> 2017-08-29 16:30:02 +0300
commit: 243bdbc4980905220706bdb9215a7d802eced502 (patch)
tree: 1a067bfeb439d6613fae09e95587b7aa4496f316
parent: 0173d4e6b6b17443155d121a9098d0e742b9c4e3 (diff)
parent: fd3aa1374e1390d3b20cbd0963d9599c5bbb90ae (diff)
6 files changed, 10 insertions, 3 deletions
diff --git a/CHANGELOG b/CHANGELOG
index 9a01248a..730bc3a0 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,6 @@
+v 0.5.1
+- Don't serve statically-compiled `.gz` files that are symlinks
+
 v 0.5.0
 - Don't try to update domains if reading the update file fails !32
 - Add CORS support to GET requests !33
diff --git a/VERSION b/VERSION
index 8f0916f7..4b9fcbec 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-0.5.0
+0.5.1
diff --git a/domain.go b/domain.go
index 45e59f94..358a71d8 100644
--- a/domain.go
+++ b/domain.go
@@ -41,8 +41,8 @@ func handleGZip(w http.ResponseWriter, r *http.Request, fullPath string) string
 
 	gzipPath := fullPath + ".gz"
 
-	_, err := os.Stat(gzipPath)
-	if err != nil {
+	// Ensure the .gz file is not a symlink
+	if fi, err := os.Lstat(gzipPath); err != nil || !fi.Mode().IsRegular() {
 		return fullPath
 	}
 
diff --git a/domain_test.go b/domain_test.go
index 3ccac7ca..e1d5154f 100644
--- a/domain_test.go
+++ b/domain_test.go
@@ -122,6 +122,8 @@ func TestGroupServeHTTPGzip(t *testing.T) {
 		{"GET", "http://group.test.io/", nil, ";; gzip", "main-dir", false},
 		{"GET", "http://group.test.io/", nil, "middle-out", "main-dir", false},
 		{"GET", "http://group.test.io/", nil, "gzip; quality=1", "main-dir", false},
+		// Symlinked .gz files are not supported
+		{"GET", "http://group.test.io/gz-symlink", nil, "*", "data", false},
 	}
 
 	for _, tt := range testSet {
diff --git a/shared/pages/group/group.test.io/public/gz-symlink b/shared/pages/group/group.test.io/public/gz-symlink
new file mode 100644
index 00000000..6320cd24
--- /dev/null
+++ b/shared/pages/group/group.test.io/public/gz-symlink
@@ -0,0 +1 @@
+data
+\ No newline at end of file
diff --git a/shared/pages/group/group.test.io/public/gz-symlink.gz b/shared/pages/group/group.test.io/public/gz-symlink.gz
new file mode 120000
index 00000000..28e14853
--- /dev/null
+++ b/shared/pages/group/group.test.io/public/gz-symlink.gz
@@ -0,0 +1 @@
+../config.json
+\ No newline at end of file
author	Nick Thomas <nick@gitlab.com>	2017-08-29 16:30:02 +0300
committer	Nick Thomas <nick@gitlab.com>	2017-08-29 16:30:02 +0300
commit	243bdbc4980905220706bdb9215a7d802eced502 (patch)
tree	1a067bfeb439d6613fae09e95587b7aa4496f316
parent	0173d4e6b6b17443155d121a9098d0e742b9c4e3 (diff)
parent	fd3aa1374e1390d3b20cbd0963d9599c5bbb90ae (diff)