Damien Neil

I don't think the composability of `IgnoreFieldsExcept` is particularly surprising: It isn't hard to understand that the fields which remain are the union of all fields that were not ignored.

There's no undefined behavior here. The *semantics* of HEAD requests with a body are undefined--there's no RFC that I know of that defines what that body means--but the mechanics of...

Sorry for missing this when it was originally filed. So far as I can tell, `Server.ReadTimeout` is simply not implemented for HTTP/2 at the moment. It should be. Working on...

I'm not sold on the name, although "Sanitize" does have the connotation of being more than just clean. ("To reduce or eliminate pathogenic agents", says Merriam-Webster.) Symbolic links are an...

To restrict a path to some other working directory, you join the sanitized path to that directory: ``` sanitized, err := filepath.Sanitize(untrusted) if err != nil { /* ... */...

`SafeJoin` seems easier to reason about, and I agree that most cases where you want this are going to join the path to a base anyway. I'm not sold on...

Thinking more about symlinks, filename sanitization is the wrong time to check for links. Links need to be checked for atomically at file open time, to avoid TOCTOU bugs. Possibly...

I believe we have two possible APIs at this point. One is a `Sanitize` function which takes a path and makes it safe. This is my original proposal (although I'm...

> Could you give some more detail on that? It seems like the security property we want from SafeJoin is “no writes outside of a particular working directory”, but Join("a",...

An interesting question is what should be done with a relative path of `"."`. Is the base directory itself within the set of safe paths? ``` Sanitize(".") // "." or...