From 16ce63c2082a62a23aafd2b54eac8d8c6ef99a8a Mon Sep 17 00:00:00 2001
From: Richard van der Hoff <richard@matrix.org>
Date: Thu, 6 Apr 2017 12:16:28 +0100
Subject: [PATCH] add some comments about path sanitisation

---
 src/github.com/matrix-org/rageshake/logserver.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/github.com/matrix-org/rageshake/logserver.go b/src/github.com/matrix-org/rageshake/logserver.go
index a39c49c..a5fab39 100644
--- a/src/github.com/matrix-org/rageshake/logserver.go
+++ b/src/github.com/matrix-org/rageshake/logserver.go
@@ -46,7 +46,11 @@ func (f *logServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	// eliminate ., .., //, etc
 	upath = path.Clean(upath)
 
-	// reject some dodgy paths
+	// reject some dodgy paths. This is based on the code for http.Dir.Open (see https://golang.org/src/net/http/fs.go#L37).
+	//
+	// the check for '..' is a sanity-check because my understanding of `path.Clean` is that it should never return
+	// a value including '..' for input starting with '/'. It's taken from the code for http.ServeFile
+	// (https://golang.org/src/net/http/fs.go#L637).
 	if containsDotDot(upath) || strings.Contains(upath, "\x00") || (filepath.Separator != '/' && strings.IndexRune(upath, filepath.Separator) >= 0) {
 		http.Error(w, "invalid URL path", http.StatusBadRequest)
 		return