From 02a4da0d0ff37784e034281a3b670a9f92094b71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jiri=20Cincura=20=E2=86=B9?= Date: Thu, 23 Apr 2026 17:37:31 +0200 Subject: [PATCH] Add note for Physical File Provider. (#37029) --- aspnetcore/fundamentals/file-providers.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/aspnetcore/fundamentals/file-providers.md b/aspnetcore/fundamentals/file-providers.md index 1ecc98467a2b..ba6aecb65dc6 100644 --- a/aspnetcore/fundamentals/file-providers.md +++ b/aspnetcore/fundamentals/file-providers.md @@ -59,6 +59,9 @@ The following table lists implementations of `IFileProvider`. The provides access to the physical file system. `PhysicalFileProvider` uses the type (for the physical provider) and scopes all paths to a directory and its children. This scoping prevents access to the file system outside of the specified directory and its children. The most common scenario for creating and using a `PhysicalFileProvider` is to request an `IFileProvider` in a constructor through [dependency injection](xref:fundamentals/dependency-injection). +> [!WARNING] +> `PhysicalFileProvider` scopes access to its root directory and child paths, but this doesn't guarantee a security sandbox. Symbolic links under the root can still expose files outside the root directory. + When instantiating this provider directly, an absolute directory path is required and serves as the base path for all requests made using the provider. Glob patterns aren't supported in the directory path. The following code shows how to use `PhysicalFileProvider` to obtain directory contents and file information: