Reject requests where r.URL.Path contains a ".." path element to protect
against callers who might unsafely use filepath.Join on r.URL.Path
without sanitizing it.
Error handling is currently missing is a couple of places. Most of
them are i/o related.
This change adds checks, an therefore sometimes also has to change
function signatures by adding an error return value. In the case of
the response writer the status and meta handling is changed and this
also breaks the API.
In some places where we don't have any reasonable I've added
assignment to a blank identifier to make it clear that we're ignoring
an error.
text: read the Err() that can be set by the scanner.
client: check if conn.SetDeadline() returns an error.
client: check if req.Write() returns an error.
fs: panic if mime type registration fails.
server: stop performing i/o in Header/Status functions
By deferring the actual header write to the first Write() or Flush()
call we don't have to do any error handling in Header() or Status().
As Server.respond() now defers a ResponseWriter.Flush() instead of
directly flushing the underlying bufio.Writer this has the added
benefit of ensuring that we always write a header
to the client, even if the responder is a complete NOOP.
tofu: return an error if we fail to write to the known hosts writer.