Skip to content

net/http/pprof: assess and document security implications of the goroutines endpoint #46307

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
FiloSottile opened this issue May 21, 2021 · 2 comments
Open

net/http/pprof: assess and document security implications of the goroutines endpoint #46307

FiloSottile opened this issue May 21, 2021 · 2 comments
Assignees
@mknyszek
Labels
compiler/runtime Issues related to the Go compiler and/or runtime. Documentation Issues describing a change to documentation. NeedsFix The path to resolution is known, but the work has not been done. Security
Milestone
Go1.25

Comments

@FiloSottile
Copy link
Contributor

The net/http/pprof endpoints include stack traces with integer arguments, which can leak sensitive information depending on the settings. We should mention that in the docs.
@FiloSottile FiloSottile added Documentation Issues describing a change to documentation. Security labels May 21, 2021
@dmitshur dmitshur added this to the Backlog milestone May 21, 2021
@dmitshur dmitshur added the NeedsFix The path to resolution is known, but the work has not been done. label May 21, 2021
@FiloSottile FiloSottile changed the title net/http/pprof: add note about security implications to the docs net/http/pprof: assess and document security implications of the goroutines endpoint Jun 10, 2021
@FiloSottile
Copy link
Contributor Author

Maybe we should even hide the variables from the net/http/pprof output, or make them optional.

@gopherbot gopherbot added the compiler/runtime Issues related to the Go compiler and/or runtime. label Jun 13, 2023
@mknyszek mknyszek self-assigned this Jun 14, 2023
@mknyszek mknyszek modified the milestones: Backlog, Go1.22 Jun 16, 2023
@mknyszek mknyszek modified the milestones: Go1.22, Go1.23 Nov 28, 2023
@gopherbot gopherbot modified the milestones: Go1.23, Go1.24 Aug 13, 2024
@gopherbot gopherbot modified the milestones: Go1.24, Go1.25 Feb 11, 2025
@rleungx
Copy link
Contributor

rleungx commented Feb 18, 2025

Is there any update on this issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mknyszek mknyszek

Labels
compiler/runtime Issues related to the Go compiler and/or runtime. Documentation Issues describing a change to documentation. NeedsFix The path to resolution is known, but the work has not been done. Security
Projects
Go Compiler / Runtime
Status: Todo
Milestone
Go1.25
Development

No branches or pull requests
5 participants
@FiloSottile @mknyszek @dmitshur @gopherbot @rleungx