📝 Added comment about potentially insecure static routing
This commit is contained in:
parent
6eafdd4b86
commit
32f3b803e6
6
main.go
6
main.go
|
@ -100,6 +100,12 @@ func NewApp(ctx context.Context, config *domain.Config) (*App, error) {
|
|||
|
||||
lang := domain.NewLanguage(head)
|
||||
if lang == domain.LanguageUnd {
|
||||
// WARN(toby3d): fetch static resources from separated static directory instead of
|
||||
// $HOME_CONTENT_DIR?
|
||||
//
|
||||
// Looks like what current logic is insecure, because resource from private page in
|
||||
// content directory '/en/page/file.jpg' by lower use case execution can be accessed
|
||||
// here by URL '/page/file.jpg'.
|
||||
res, err := staticer.Do(r.Context(), r.URL.Path)
|
||||
if err != nil {
|
||||
if errors.Is(err, fs.ErrNotExist) {
|
||||
|
|
Loading…
Reference in New Issue