📝 Added comment about potentially insecure static routing

2023-11-13 06:37:11 +06:00 · 2023-11-13 06:37:11 +06:00 · 32f3b803e6
parent 6eafdd4b86
commit 32f3b803e6
1 changed files with 6 additions and 0 deletions
--- a/main.go
+++ b/main.go
@ -100,6 +100,12 @@ func NewApp(ctx context.Context, config *domain.Config) (*App, error) {

 			lang := domain.NewLanguage(head)
 			if lang == domain.LanguageUnd {
+				// WARN(toby3d): fetch static resources from separated static directory instead of
+				// $HOME_CONTENT_DIR?
+				//
+				// Looks like what current logic is insecure, because resource from private page in
+				// content directory '/en/page/file.jpg' by lower use case execution can be accessed
+				// here by URL '/page/file.jpg'.
 				res, err := staticer.Do(r.Context(), r.URL.Path)
 				if err != nil {
 					if errors.Is(err, fs.ErrNotExist) {