net/http: make triv.go example less insecure

The triv.go example serves the entire contents of $HOME by default. That seems bad, let's not do that. Also change it to listen on localhost only. Change-Id: I8f1b7bd6b7d737852273e2ba82deabc4a2d11f6b Reviewed-on: https://go-review.googlesource.com/c/go/+/428237 Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Tatiana Bradley <tatiana@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org>
2024-09-30 22:48:32 -06:00 · 2022-09-03 19:51:48 -07:00 · 2022-09-03 19:51:48 -07:00 · dc629ec939
commit dc629ec939
parent e1e88d636b
1 changed files with 5 additions and 3 deletions
--- a/src/net/http/triv.go
+++ b/src/net/http/triv.go
@ -118,7 +118,7 @@ func Logger(w http.ResponseWriter, req *http.Request) {
 	http.Error(w, "oops", http.StatusNotFound)
 }

-var webroot = flag.String("root", os.Getenv("HOME"), "web root directory")
+var webroot = flag.String("root", "", "web root directory")

 func main() {
 	flag.Parse()
@ -128,11 +128,13 @@ func main() {
 	expvar.Publish("counter", ctr)
 	http.Handle("/counter", ctr)
 	http.Handle("/", http.HandlerFunc(Logger))
-	http.Handle("/go/", http.StripPrefix("/go/", http.FileServer(http.Dir(*webroot))))
+	if *webroot != "" {
+		http.Handle("/go/", http.StripPrefix("/go/", http.FileServer(http.Dir(*webroot))))
+	}
 	http.Handle("/chan", ChanCreate())
 	http.HandleFunc("/flags", FlagServer)
 	http.HandleFunc("/args", ArgServer)
 	http.HandleFunc("/go/hello", HelloServer)
 	http.HandleFunc("/date", DateServer)
-	log.Fatal(http.ListenAndServe(":12345", nil))
+	log.Fatal(http.ListenAndServe("localhost:12345", nil))
 }