It's a bit funny how timeattack is trying to not disclose the nature of the bug publicly and goes through the trouble of sending a private email and notifying here, then you spill the beans publicly in a reply. :D
It might be obvious to many, but to many more it would not be. It just raises the chances of someone exploiting it before anderspitman fixed it.
To the Hacker News crowd, I think that anybody that read the timeattack's comment has thought: a server application that output files given a filepath? Maybe we can forge some absolute path? And then, 5 minutes later, on Github, you confirm your hypothesis by reading 62 lines of Go.
Nevertheless, I am respectful of responsible security disclosure. Maybe timeattack will prefer to use an entirely private channel to communicate with the server owner the next time?
In the end, the info was already out, the author fixed it real quick and I hoped he has cleaned its server by now ;)
It might be obvious to many, but to many more it would not be. It just raises the chances of someone exploiting it before anderspitman fixed it.
Window was pretty small though, so that's good.