From ceabbb96f3ea960c06beccce4dc2ffacba2e7ec4 Mon Sep 17 00:00:00 2001
From: Russ Cox <rsc@golang.org>
Date: Wed, 17 Nov 2021 23:19:04 -0500
Subject: cmd/golangorg: hide $GOROOT/*.md

We do not intend $GOROOT/README.md to be served
as go.dev/README, and so on. Worst of all, on Macs and Windows
(with case-insensitive file systems), SECURITY.md overrides
_content/security.html.

Change-Id: I4ac53508c34a4799aa4afd45db7e7e266e179936
Reviewed-on: https://go-review.googlesource.com/c/website/+/365098
Trust: Russ Cox <rsc@golang.org>
Reviewed-by: Jamal Carvalho <jamal@golang.org>
---
 cmd/golangorg/server.go          | 18 +++++++++++++++++-
 cmd/golangorg/testdata/godev.txt | 11 +++++++++++
 2 files changed, 28 insertions(+), 1 deletion(-)

(limited to 'cmd')

diff --git a/cmd/golangorg/server.go b/cmd/golangorg/server.go
index eec03c54..86876da5 100644
--- a/cmd/golangorg/server.go
+++ b/cmd/golangorg/server.go
@@ -244,7 +244,7 @@ func playHandler(site *web.Site) http.Handler {
 // and registers it in mux to handle requests for host.
 // If host is the empty string, the registrations are for the wildcard host.
 func newSite(mux *http.ServeMux, host string, content, goroot fs.FS) (*web.Site, error) {
-	fsys := unionFS{content, &fixSpecsFS{goroot}}
+	fsys := unionFS{content, &hideRootMDFS{&fixSpecsFS{goroot}}}
 	site := web.NewSite(fsys)
 	site.Funcs(template.FuncMap{
 		"googleAnalytics": func() string { return googleAnalytics },
@@ -653,6 +653,22 @@ func (fsys fixSpecsFS) Open(name string) (fs.File, error) {
 	return fsys.fs.Open(name)
 }
 
+// A hideRootMDFS is an FS that hides *.md files in the root directory.
+// We use this to hide the Go repository's CONTRIBUTING.md,
+// README.md, and SECURITY.md. The last is particularly problematic
+// when running locally on a Mac, because it can be opened as
+// security.md, which takes priority over _content/security.html.
+type hideRootMDFS struct {
+	fs fs.FS
+}
+
+func (fsys hideRootMDFS) Open(name string) (fs.File, error) {
+	if !strings.Contains(name, "/") && strings.HasSuffix(name, ".md") {
+		return nil, errors.New(".md file not available")
+	}
+	return fsys.fs.Open(name)
+}
+
 // A seekableFS is an FS wrapper that makes every file seekable
 // by reading it entirely into memory when it is opened and then
 // serving read operations (including seek) from the memory copy.
diff --git a/cmd/golangorg/testdata/godev.txt b/cmd/golangorg/testdata/godev.txt
index 5ea8d15e..64c0e2be 100644
--- a/cmd/golangorg/testdata/godev.txt
+++ b/cmd/golangorg/testdata/godev.txt
@@ -46,3 +46,14 @@ body contains Sorry, but shared playground snippets are not visible in China.
 body !contains The Go Playground
 body !contains About the Playground
 
+# These $GOROOT/*.md files should not serve.
+GET https://go.dev/CONTRIBUTING
+code == 404
+
+GET https://go.dev/README
+code == 404
+
+# $GOROOT/SECURITY.md should not serve either,
+# but on a case-insensitive file system,
+# https://go.dev/SECURITY is served from _content/security.html,
+# so we can't assert a 404.
-- 
cgit v1.3-5-g9baa