From: Brad Fitzpatrick <bradfitz@golang.org>
Date: Mon, 14 Dec 2020 20:09:17 +0000 (-0800)
Subject: net/http/pprof: don't treat os.Args as format string in Cmdline handler
X-Git-Tag: go1.16beta1~24
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=48906a6d57fdc3c6fd2b6b9fe4c0e31dc225a058;p=gostls13.git

net/http/pprof: don't treat os.Args as format string in Cmdline handler

Found by @josharian running staticcheck against a fork of this code
elsewhere.

Change-Id: Ica8bae5df71adde1a71e541dd55b0b81b97b3baf
Reviewed-on: https://go-review.googlesource.com/c/go/+/277992
Reviewed-by: Josh Bleecher Snyder <josharian@gmail.com>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Trust: Josh Bleecher Snyder <josharian@gmail.com>
---

diff --git a/src/net/http/pprof/pprof.go b/src/net/http/pprof/pprof.go
index 2bfcfb9545..5389a388c1 100644
--- a/src/net/http/pprof/pprof.go
+++ b/src/net/http/pprof/pprof.go
@@ -91,7 +91,7 @@ func init() {
 func Cmdline(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("X-Content-Type-Options", "nosniff")
 	w.Header().Set("Content-Type", "text/plain; charset=utf-8")
-	fmt.Fprintf(w, strings.Join(os.Args, "\x00"))
+	fmt.Fprint(w, strings.Join(os.Args, "\x00"))
 }
 
 func sleep(r *http.Request, d time.Duration) {