Skip to content

pprof is public accessible even when ENABLE_PPROF=false #4966

Closed
@krombel

Description

@krombel

Description

I do not expect to have those debug information public available.

Those get added in go-macaron/toolbox

m.Any(path.Join(opt.PprofURLPrefix, "cmdline"), pprof.Cmdline)
m.Any(path.Join(opt.PprofURLPrefix, "profile"), pprof.Profile)
m.Any(path.Join(opt.PprofURLPrefix, "symbol"), pprof.Symbol)
m.Any(opt.PprofURLPrefix, pprof.Index)
m.Any(path.Join(opt.PprofURLPrefix, "*"), pprof.Index)

which got added in #1290:
m.Use(toolbox.Toolboxer(m, toolbox.Options{
HealthCheckFuncs: []*toolbox.HealthCheckFuncDesc{
{
Desc: "Database connection",
Func: models.Ping,
},
},
}))

Badly there does not seem to be an option to disable this without removing the Toolbox completly.

//EDIT: As a temporary workaround I added this to my nginx config:

        location /debug {
                return 403;
        }

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions