diff options
author | Nick Thomas <nick@gitlab.com> | 2017-08-08 17:35:00 +0300 |
---|---|---|
committer | Nick Thomas <nick@gitlab.com> | 2017-08-08 18:50:54 +0300 |
commit | 7d4c5cb8faa21efd5e3c89e9f4e850a372c2a4fa (patch) | |
tree | fc933614b48ca24ca4a4036cc1d236368df64562 | |
parent | 0173d4e6b6b17443155d121a9098d0e742b9c4e3 (diff) |
Don't serve statically-compiled `.gz` files that are symlinks
-rw-r--r-- | domain.go | 4 | ||||
-rw-r--r-- | domain_test.go | 2 | ||||
-rw-r--r-- | shared/pages/group/group.test.io/public/gz-symlink | 1 | ||||
l--------- | shared/pages/group/group.test.io/public/gz-symlink.gz | 1 |
4 files changed, 6 insertions, 2 deletions
@@ -41,8 +41,8 @@ func handleGZip(w http.ResponseWriter, r *http.Request, fullPath string) string gzipPath := fullPath + ".gz" - _, err := os.Stat(gzipPath) - if err != nil { + // Ensure the .gz file is not a symlink + if fi, err := os.Lstat(gzipPath); err != nil || !fi.Mode().IsRegular() { return fullPath } diff --git a/domain_test.go b/domain_test.go index 3ccac7ca..e1d5154f 100644 --- a/domain_test.go +++ b/domain_test.go @@ -122,6 +122,8 @@ func TestGroupServeHTTPGzip(t *testing.T) { {"GET", "http://group.test.io/", nil, ";; gzip", "main-dir", false}, {"GET", "http://group.test.io/", nil, "middle-out", "main-dir", false}, {"GET", "http://group.test.io/", nil, "gzip; quality=1", "main-dir", false}, + // Symlinked .gz files are not supported + {"GET", "http://group.test.io/gz-symlink", nil, "*", "data", false}, } for _, tt := range testSet { diff --git a/shared/pages/group/group.test.io/public/gz-symlink b/shared/pages/group/group.test.io/public/gz-symlink new file mode 100644 index 00000000..6320cd24 --- /dev/null +++ b/shared/pages/group/group.test.io/public/gz-symlink @@ -0,0 +1 @@ +data
\ No newline at end of file diff --git a/shared/pages/group/group.test.io/public/gz-symlink.gz b/shared/pages/group/group.test.io/public/gz-symlink.gz new file mode 120000 index 00000000..28e14853 --- /dev/null +++ b/shared/pages/group/group.test.io/public/gz-symlink.gz @@ -0,0 +1 @@ +../config.json
\ No newline at end of file |