Permalink
Browse files

net/http: document that Dir can serve sensitive directories

Updates #20759.

Change-Id: Ic61dcb6d101ad1491dca535aebb6ee8ee740d013
Reviewed-on: https://go-review.googlesource.com/46468
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
  • Loading branch information...
kevinburke authored and bradfitz committed Jun 23, 2017
1 parent 143bdc2 commit 43ae54ba2a4583fbdbf8a7641bf584ab5f8153b1
Showing with 6 additions and 0 deletions.
  1. +6 −0 src/net/http/fs.go
View
@@ -30,6 +30,12 @@ import (
// value is a filename on the native file system, not a URL, so it is separated
// by filepath.Separator, which isn't necessarily '/'.
//
// Note that Dir will allow access to files and directories starting with a
// period, which could expose sensitive directories like a .git directory or
// sensitive files like .htpasswd. To exclude files with a leading period,
// remove the files/directories from the server or create a custom FileSystem
// implementation.
//
// An empty Dir is treated as ".".
type Dir string

0 comments on commit 43ae54b

Please sign in to comment.