From ed6ba12a8576962588cb48ead9a0d30bf4eb2331 Mon Sep 17 00:00:00 2001
From: Henrique Dias <hacdias@gmail.com>
Date: Wed, 26 Jul 2017 09:22:15 +0100
Subject: [PATCH] Add disclaimer about path trasversal

Former-commit-id: b5be8beba4be0dd54dca763404d7c016ed1b82fb [formerly 5c9091743b1dcb5feb7c344668dd90a6f06c46bc] [formerly 008c8b1fd0898398ed2eafa15ec1b4b77d339ca6 [formerly fc02e7ef573713daec4cb9c97acc783ee7d3ff51]]
Former-commit-id: 96701a45bd218c70002b1c5b3298703cbf18f9a5 [formerly 8ff492e7cb61e5946eaf6332496e1af1575c360d]
Former-commit-id: 64a1d5238ffe16acbbf8cf5fe9b2825759658194
---
 resource.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/resource.go b/resource.go
index a6b6595f..51b3954c 100644
--- a/resource.go
+++ b/resource.go
@@ -12,6 +12,12 @@ import (
 	"strings"
 )
 
+// DISCLAIMER: this doesn't sanitize the target path so some may think
+// that path trasversal would be possible and the user could change files
+// outside of their scope. The User.FileSystem variable is of type webdav.Dir
+// which does those checks so this package doesn't need to do them.
+// https://github.com/golang/net/blob/master/webdav/file.go#L68
+
 func resourceHandler(c *RequestContext, w http.ResponseWriter, r *http.Request) (int, error) {
 	switch r.Method {
 	case http.MethodGet: