restrictions
dazinator opened this issue · 1 comments
Its interesting to read #232 #213 #186 where basically the comments from the team seem to indicate an intention to bake in security restrictions (such as ignoring files that start with ".") to make particular files invisible.
Seems backwards to me. It seems these decisions may be taken purely because one use case for a provider is to automatically serve up content from a webroot directory to the browser.
However this is not the sole use case. The environment also has a content root file provider. Also the fileprovider does not appear to be tied to asp.net web app necessarily, and could be used from console apps. When a developer wants to read a file, how do you know their use case isn't to read a file that is hidden or starts with a dot?
It seems to me that the consequences of setting a physical file provider to serve a webroot folder should be understood by develoers i e every file in that folder is serveable.
If it's not desirable to serve certain files wouldn't middleware be the best place to stop that - not the file provider itself?
Just thought I'd chime in with my opinion - because after all, this is github :-)
This issue was moved to aspnet/Home#2547