net/http: make triv.go example less insecure

The triv.go example serves the entire contents of $HOME by default.
That seems bad, let's not do that.

Also change it to listen on localhost only.

Change-Id: I8f1b7bd6b7d737852273e2ba82deabc4a2d11f6b
Reviewed-on: https://go-review.googlesource.com/c/go/+/428237
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>

diff --git a/src/net/http/triv.go b/src/net/http/triv.go
index 11b19ab30c55be11df0a5e4afb2cc9c847c94d4f..9bf0caa37fec00b32eaee1ae84d5559916cbe2f4 100644 (file)
--- a/src/net/http/triv.go
+++ b/src/net/http/triv.go
@@ -118,7 +118,7 @@ func Logger(w http.ResponseWriter, req *http.Request) {
        http.Error(w, "oops", http.StatusNotFound)
 }
 
-var webroot = flag.String("root", os.Getenv("HOME"), "web root directory")
+var webroot = flag.String("root", "", "web root directory")
 
 func main() {
        flag.Parse()
@@ -128,11 +128,13 @@ func main() {
        expvar.Publish("counter", ctr)
        http.Handle("/counter", ctr)
        http.Handle("/", http.HandlerFunc(Logger))
-       http.Handle("/go/", http.StripPrefix("/go/", http.FileServer(http.Dir(*webroot))))
+       if *webroot != "" {
+               http.Handle("/go/", http.StripPrefix("/go/", http.FileServer(http.Dir(*webroot))))
+       }
        http.Handle("/chan", ChanCreate())
        http.HandleFunc("/flags", FlagServer)
        http.HandleFunc("/args", ArgServer)
        http.HandleFunc("/go/hello", HelloServer)
        http.HandleFunc("/date", DateServer)
-       log.Fatal(http.ListenAndServe(":12345", nil))
+       log.Fatal(http.ListenAndServe("localhost:12345", nil))
 }