net/http: document Dir behavior with symlinks

Based on CL 229377.

Change-Id: I016eec20672c909e8fabe799c277f4d2540fc555
Reviewed-on: https://go-review.googlesource.com/c/go/+/238698
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>

diff --git a/src/net/http/fs.go b/src/net/http/fs.go
index f95f2426b7d4ec63000f4073ce2e3cd2001b3189..07d15b07e92f11517a280fbc73d26db42fdeb191 100644 (file)
--- a/src/net/http/fs.go
+++ b/src/net/http/fs.go
@@ -30,11 +30,13 @@ import (
 // value is a filename on the native file system, not a URL, so it is separated
 // by filepath.Separator, which isn't necessarily '/'.
 //
-// Note that Dir will allow access to files and directories starting with a
-// period, which could expose sensitive directories like a .git directory or
-// sensitive files like .htpasswd. To exclude files with a leading period,
-// remove the files/directories from the server or create a custom FileSystem
-// implementation.
+// Note that Dir could expose sensitive files and directories. Dir will follow
+// symlinks pointing out of the directory tree, which can be especially dangerous
+// if serving from a directory in which users are able to create arbitrary symlinks.
+// Dir will also allow access to files and directories starting with a period,
+// which could expose sensitive directories like .git or sensitive files like
+// .htpasswd. To exclude files with a leading period, remove the files/directories
+// from the server or create a custom FileSystem implementation.
 //
 // An empty Dir is treated as ".".
 type Dir string