v5.5.0 release notes
- Static file serving (
router.Static()
)- Now rejects paths containing
\
,//
with404 Not Found
. - Now rejects non-empty paths that don't start with a slash. An empty path will still return
index.html
like before. - Now rejects paths containing a
.
,..
or empty segment. - These changes fix a vulnerability when using
osfs.FS
as the file system forrouter.Static()
: files outside of the base path of the file system were accessible to the clients if they requested a path containing..
. - For the
Content-Disposition
header, the actual path is now used to get the name of the file instead of the raw input. This solves the issue of an invalid header value returned when the returned file isindex.html
.
- Now rejects paths containing
- In
response.File()
andresponse.Download()
, the file is now opened only once instead of thrice. fsutil
changes:- Added
fsutil.DetectContentType()
, which sniffs directly from a reader instead of a file name. - Added
fsutil.DetectContentTypeByExtension()
for content type detection fallback. - Expanded the list of known file extensions for content type detection.
- Added
- Added
testutil.Session()
, a new testing utility used to mock thesession.Session
interface. This implementation is designed to provide a realistic, observable transaction system and help identify incorrect usage.