From: Katie Hockman Date: Thu, 18 Jun 2020 15:26:07 +0000 (-0400) Subject: net/http: document Dir behavior with symlinks X-Git-Tag: go1.15rc1~73 X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=18bcc7c2854f900dfb631d7ef01a839021e24576;p=gostls13.git net/http: document Dir behavior with symlinks Based on CL 229377. Change-Id: I016eec20672c909e8fabe799c277f4d2540fc555 Reviewed-on: https://go-review.googlesource.com/c/go/+/238698 Run-TryBot: Katie Hockman TryBot-Result: Gobot Gobot Reviewed-by: Filippo Valsorda --- diff --git a/src/net/http/fs.go b/src/net/http/fs.go index f95f2426b7..07d15b07e9 100644 --- a/src/net/http/fs.go +++ b/src/net/http/fs.go @@ -30,11 +30,13 @@ import ( // value is a filename on the native file system, not a URL, so it is separated // by filepath.Separator, which isn't necessarily '/'. // -// Note that Dir will allow access to files and directories starting with a -// period, which could expose sensitive directories like a .git directory or -// sensitive files like .htpasswd. To exclude files with a leading period, -// remove the files/directories from the server or create a custom FileSystem -// implementation. +// Note that Dir could expose sensitive files and directories. Dir will follow +// symlinks pointing out of the directory tree, which can be especially dangerous +// if serving from a directory in which users are able to create arbitrary symlinks. +// Dir will also allow access to files and directories starting with a period, +// which could expose sensitive directories like .git or sensitive files like +// .htpasswd. To exclude files with a leading period, remove the files/directories +// from the server or create a custom FileSystem implementation. // // An empty Dir is treated as ".". type Dir string