net/http: document that Dir can serve sensitive directories

Updates #20759. Change-Id: Ic61dcb6d101ad1491dca535aebb6ee8ee740d013 Reviewed-on: https://go-review.googlesource.com/46468Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

net/http: document that Dir can serve sensitive directories
Updates #20759. Change-Id: Ic61dcb6d101ad1491dca535aebb6ee8ee740d013 Reviewed-on: https://go-review.googlesource.com/46468Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
43ae54ba · Kevin Burke · Brad Fitzpatrick · 143bdc27 · 43ae54ba
Commit 43ae54ba authored Jun 23, 2017 by Kevin Burke Committed by Brad Fitzpatrick Jun 23, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 0 deletions

fs.go src/net/http/fs.go +6 -0

No files found.
--- a/src/net/http/fs.go
+++ b/src/net/http/fs.go
@@ -30,6 +30,12 @@ import (
 // value is a filename on the native file system, not a URL, so it is separated
 // by filepath.Separator, which isn't necessarily '/'.
 //
+// Note that Dir will allow access to files and directories starting with a
+// period, which could expose sensitive directories like a .git directory or
+// sensitive files like .htpasswd. To exclude files with a leading period,
+// remove the files/directories from the server or create a custom FileSystem
+// implementation.
+//
 // An empty Dir is treated as ".".
 type Dir string