diff options
Diffstat (limited to 'internal/domain/domain.go')
| -rw-r--r-- | internal/domain/domain.go | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/internal/domain/domain.go b/internal/domain/domain.go index 261707cf..2c4f4e29 100644 --- a/internal/domain/domain.go +++ b/internal/domain/domain.go @@ -15,6 +15,8 @@ import ( "sync" "time" + "golang.org/x/sys/unix" + "gitlab.com/gitlab-org/gitlab-pages/internal/httperrors" "gitlab.com/gitlab-org/gitlab-pages/internal/httputil" ) @@ -231,7 +233,7 @@ func (d *D) HasProject(r *http.Request) bool { func (d *D) serveFile(w http.ResponseWriter, r *http.Request, origPath string) error { fullPath := handleGZip(w, r, origPath) - file, err := os.Open(fullPath) + file, err := openNoFollow(fullPath) if err != nil { return err } @@ -257,7 +259,7 @@ func (d *D) serveCustomFile(w http.ResponseWriter, r *http.Request, code int, or fullPath := handleGZip(w, r, origPath) // Open and serve content of file - file, err := os.Open(fullPath) + file, err := openNoFollow(fullPath) if err != nil { return err } @@ -455,3 +457,7 @@ func (d *D) ServeNotFoundHTTP(w http.ResponseWriter, r *http.Request) { func endsWithSlash(path string) bool { return strings.HasSuffix(path, "/") } + +func openNoFollow(path string) (*os.File, error) { + return os.OpenFile(path, os.O_RDONLY|unix.O_NOFOLLOW, 0) +} |