From dc629ec939c006aca7a8d60a176253057b28e10c Mon Sep 17 00:00:00 2001 From: Damien Neil Date: Sat, 3 Sep 2022 19:51:48 -0700 Subject: [PATCH] net/http: make triv.go example less insecure The triv.go example serves the entire contents of $HOME by default. That seems bad, let's not do that. Also change it to listen on localhost only. Change-Id: I8f1b7bd6b7d737852273e2ba82deabc4a2d11f6b Reviewed-on: https://go-review.googlesource.com/c/go/+/428237 Run-TryBot: Damien Neil Reviewed-by: Tatiana Bradley TryBot-Result: Gopher Robot --- src/net/http/triv.go | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/net/http/triv.go b/src/net/http/triv.go index 11b19ab30c..9bf0caa37f 100644 --- a/src/net/http/triv.go +++ b/src/net/http/triv.go @@ -118,7 +118,7 @@ func Logger(w http.ResponseWriter, req *http.Request) { http.Error(w, "oops", http.StatusNotFound) } -var webroot = flag.String("root", os.Getenv("HOME"), "web root directory") +var webroot = flag.String("root", "", "web root directory") func main() { flag.Parse() @@ -128,11 +128,13 @@ func main() { expvar.Publish("counter", ctr) http.Handle("/counter", ctr) http.Handle("/", http.HandlerFunc(Logger)) - http.Handle("/go/", http.StripPrefix("/go/", http.FileServer(http.Dir(*webroot)))) + if *webroot != "" { + http.Handle("/go/", http.StripPrefix("/go/", http.FileServer(http.Dir(*webroot)))) + } http.Handle("/chan", ChanCreate()) http.HandleFunc("/flags", FlagServer) http.HandleFunc("/args", ArgServer) http.HandleFunc("/go/hello", HelloServer) http.HandleFunc("/date", DateServer) - log.Fatal(http.ListenAndServe(":12345", nil)) + log.Fatal(http.ListenAndServe("localhost:12345", nil)) }