This release primarily includes a few minor breaking changes to make the
MkdirAll and SecureJoin interfaces more robust against accidental
misuse.
-
SecureJoin(VFS)will now return an error if the providedrootis not a
filepath.Clean'd path.While it is ultimately the responsibility of the caller to ensure the root is
a safe path to use, passing a path like/symlink/..as a root would result
in theSecureJoin'd path being placed in/even though/symlink/..
might be a different directory, and so we should more strongly discourage
such usage.All major users of
securejoin.SecureJoinalready ensure that the paths they
provide are safe (and this is ultimately a question of user error), but
removing this foot-gun is probably a good idea. Of course, this is
necessarily a breaking API change (though we expect no real users to be
affected by it).Thanks to Erik Sjölund, who initially
reported this issue as a possible security issue. -
MkdirAllandMkdirHandlenow take anos.FileMode-style mode argument
instead of a rawunix.S_*-style mode argument, which may cause compile-time
type errors depending on how you usefilepath-securejoin. For most users,
there will be no change in behaviour aside from the type change (as the
bottom0o777bits are the same in both formats, and most users are probably
only using those bits).However, if you were using
unix.S_ISVTXto set the sticky bit with
MkdirAll(Handle)you will need to switch toos.ModeStickyotherwise you
will get a runtime error with this update. In addition, the error message you
will get from passingunix.S_ISUIDandunix.S_ISGIDwill be different as
they are treated as invalid bits now (note that previously passing said bits
was also an error).
Thanks to the following contributors for helping make this release
possible:
- Aleksa Sarai [email protected]
- Erik Sjölund [email protected]
Signed-off-by: Aleksa Sarai [email protected]