Skip to content

v5.5.0 release notes

  • Static file serving (router.Static())
    • Now rejects paths containing \, // with 404 Not Found.
    • Now rejects non-empty paths that don't start with a slash. An empty path will still return index.html like before.
    • Now rejects paths containing a ., .. or empty segment.
    • These changes fix a vulnerability when using osfs.FS as the file system for router.Static(): files outside of the base path of the file system were accessible to the clients if they requested a path containing ...
    • For the Content-Disposition header, the actual path is now used to get the name of the file instead of the raw input. This solves the issue of an invalid header value returned when the returned file is index.html.
  • In response.File() and response.Download(), the file is now opened only once instead of thrice.
  • fsutil changes:
    • Added fsutil.DetectContentType(), which sniffs directly from a reader instead of a file name.
    • Added fsutil.DetectContentTypeByExtension() for content type detection fallback.
    • Expanded the list of known file extensions for content type detection.
  • Added testutil.Session(), a new testing utility used to mock the session.Session interface. This implementation is designed to provide a realistic, observable transaction system and help identify incorrect usage.