Traversal-resistant file APIs (The Go Blog)

by
jzb
from LWN.net on (#6VWA0)

Damien Neil has written an article for the Go Blog about pathtraversal vulnerabilities and the os.Root API added in Go 1.24 to help preventthem.

Root permits relative path components and symlinks that do not escapethe root. For example, root.Open("a/../b") is permitted. Filenames areresolved using the semantics of the local platform: On Unix systems,this will follow any symlink in "a" (so long as that link does notescape the root); while on Windows systems this will open "b" (even if"a" does not exist).
External Content
Source RSS or Atom Feed
Feed Location http://lwn.net/headlines/rss
Feed Title LWN.net
Feed Link https://lwn.net/
Reply 0 comments