net/http: document that Dir can serve sensitive directories

Updates #20759. Change-Id: Ic61dcb6d101ad1491dca535aebb6ee8ee740d013 Reviewed-on: https://go-review.googlesource.com/46468 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
author: Kevin Burke <kev@inburke.com> 2017-06-22 19:33:42 -0700
committer: Brad Fitzpatrick <bradfitz@golang.org> 2017-06-23 12:49:38 +0000
commit: 43ae54ba2a4583fbdbf8a7641bf584ab5f8153b1 (patch)
tree: a89085defd9789c79c06c0bf23232f36447ce40c
parent: 143bdc27932451200f3c8f4b304fe92ee8bba9be (diff)
download: go-43ae54ba2a4583fbdbf8a7641bf584ab5f8153b1.tar.xz
1 files changed, 6 insertions, 0 deletions
diff --git a/src/net/http/fs.go b/src/net/http/fs.go
index 90a3729cbd..5819334b5f 100644
--- a/src/net/http/fs.go
+++ b/src/net/http/fs.go
@@ -30,6 +30,12 @@ import (
 // value is a filename on the native file system, not a URL, so it is separated
 // by filepath.Separator, which isn't necessarily '/'.
 //
+// Note that Dir will allow access to files and directories starting with a
+// period, which could expose sensitive directories like a .git directory or
+// sensitive files like .htpasswd. To exclude files with a leading period,
+// remove the files/directories from the server or create a custom FileSystem
+// implementation.
+//
 // An empty Dir is treated as ".".
 type Dir string
author	Kevin Burke <kev@inburke.com>	2017-06-22 19:33:42 -0700
committer	Brad Fitzpatrick <bradfitz@golang.org>	2017-06-23 12:49:38 +0000
commit	43ae54ba2a4583fbdbf8a7641bf584ab5f8153b1 (patch)
tree	a89085defd9789c79c06c0bf23232f36447ce40c
parent	143bdc27932451200f3c8f4b304fe92ee8bba9be (diff)
download	go-43ae54ba2a4583fbdbf8a7641bf584ab5f8153b1.tar.xz