From 5e6ce9c2be85c5badfb0926c9fac2666e4a84895 Mon Sep 17 00:00:00 2001
From: Daan Sprenkels <daan@dsprenkels.com>
Date: Thu, 19 Dec 2019 20:01:17 +0400
Subject: [PATCH] Replace io.Copy w/ http.ServeContent for download

---
 handlers.go | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/handlers.go b/handlers.go
index 77d1ced..e24fed6 100644
--- a/handlers.go
+++ b/handlers.go
@@ -3,7 +3,6 @@ package rushlink
 import (
 	"crypto/subtle"
 	"fmt"
-	"io"
 	"log"
 	"mime/multipart"
 	"net/http"
@@ -95,12 +94,17 @@ func (rl *rushlink) uploadFileGetHandler(w http.ResponseWriter, r *http.Request)
 		// unexpected error
 		panic(err)
 	}
-	w.Header().Set("Content-Type", fu.ContentType)
-	w.WriteHeader(http.StatusOK)
-	if r.Method == "HEAD" {
-		return
+	info, err := file.Stat()
+	var modtime time.Time
+	if err != nil {
+		log.Printf("error: %v", errors.Wrapf(err, "could not stat file '%v'", filePath))
+	} else {
+		modtime = info.ModTime()
 	}
-	io.Copy(w, file)
+	// We use http.ServeContent (instead of http.ServeFile) because we cannot
+	// use http.ServeFile together with the assertion that the file exists,
+	// without introducing a TOCTOU flaw.
+	http.ServeContent(w, r, fu.FileName, modtime, file)
 }
 
 func (rl *rushlink) viewPasteHandler(w http.ResponseWriter, r *http.Request) {