Do not follow symbolic links by default

Resolves #4.
2 years ago · 4f4e2a8cbe
3 changed files with 18 additions and 0 deletions
--- a/CONFIGURATION.md
+++ b/CONFIGURATION.md
@ -102,6 +102,10 @@ Cache duration (in seconds). Set to `0` to disable caching entirely. This is an
 out-of-spec feature. See [PROPOSALS.md](https://gitlab.com/tslocum/twins/blob/master/PROPOSALS.md)
 for more information.

+##### SymLinks
+
+When enabled, symbolic links may be accessed. This attribute is disabled by default.
+
 ##### HiddenFiles

 When enabled, hidden files and directories may be accessed. This attribute is
--- a/config.go
+++ b/config.go
@ -31,6 +31,9 @@ type pathConfig struct {
 	// Request sensitive input
 	SensitiveInput string

+	// Follow symbolic links
+	SymLinks bool
+
 	// Serve hidden files and directories
 	HiddenFiles bool

--- a/server.go
+++ b/server.go
@ -154,6 +154,17 @@ func servePath(c *tls.Conn, request *url.URL, serve *pathConfig) {
 		if root[len(root)-1] != '/' {
 			root += "/"
 		}
+
+		if !serve.SymLinks {
+			for i := range requestSplit[pathSlashes:] {
+				info, err := os.Lstat(path.Join(root, strings.Join(requestSplit[pathSlashes:pathSlashes+i+1], "/")))
+				if err != nil || info.Mode()&os.ModeSymlink == os.ModeSymlink {
+					writeStatus(c, statusTemporaryFailure)
+					return
+				}
+			}
+		}
+
 		filePath = path.Join(root, resolvedPath)
 	}