net/http: document that Dir can serve sensitive directories

author Kevin Burke <kev@inburke.com>

Fri, 23 Jun 2017 02:33:42 +0000 (19:33 -0700)

committer Brad Fitzpatrick <bradfitz@golang.org>

Fri, 23 Jun 2017 12:49:38 +0000 (12:49 +0000)
author Kevin Burke <kev@inburke.com>
Fri, 23 Jun 2017 02:33:42 +0000 (19:33 -0700)
committer Brad Fitzpatrick <bradfitz@golang.org>
Fri, 23 Jun 2017 12:49:38 +0000 (12:49 +0000)
diff --git a/src/net/http/fs.go b/src/net/http/fs.go

index 90a3729cbd5942e05ab60891366b8b1e990010e9..5819334b5f49093fc5e34f48fe7efb0018125223 100644 (file)
--- a/src/net/http/fs.go
+++ b/src/net/http/fs.go
@@ -30,6 +30,12 @@ import (
  // value is a filename on the native file system, not a URL, so it is separated
  // by filepath.Separator, which isn't necessarily '/'.
  //
+// Note that Dir will allow access to files and directories starting with a
+// period, which could expose sensitive directories like a .git directory or
+// sensitive files like .htpasswd. To exclude files with a leading period,
+// remove the files/directories from the server or create a custom FileSystem
+// implementation.
+//
  // An empty Dir is treated as ".".
  type Dir string
author	Kevin Burke <kev@inburke.com>
	Fri, 23 Jun 2017 02:33:42 +0000 (19:33 -0700)
committer	Brad Fitzpatrick <bradfitz@golang.org>
	Fri, 23 Jun 2017 12:49:38 +0000 (12:49 +0000)