Traversal-resistant file APIs (The Go Blog)
Date:
Wed, 12 Mar 2025 17:13:18 +0000
Description:
Damien Neil has written an article for the Go Blog about path
traversal vulnerabilities and the os.Root API added in Go 1.24 to help prevent them. Root permits relative path components and symlinks that do not escape
the root. For example, root.Open("a/../b") is permitted. Filenames are
resolved using the semantics of the local platform: On Unix systems,
this will follow any symlink in "a" (so long as that link does not
escape the root); while on Windows systems this will open "b" (even if
"a" does not exist).
======================================================================
Link to news story:
https://lwn.net/Articles/1013876/
--- Mystic BBS v1.12 A47 (Linux/64)
* Origin: tqwNet UK HUB @ hub.uk.erb.pw (1337:1/100)