net/http/pprof: assess and document security implications of the goroutines endpoint #46307

FiloSottile · 2021-05-21T15:04:46Z

The net/http/pprof endpoints include stack traces with integer arguments, which can leak sensitive information depending on the settings. We should mention that in the docs.

FiloSottile · 2021-06-10T12:21:12Z

Maybe we should even hide the variables from the net/http/pprof output, or make them optional.

FiloSottile added Documentation Security labels May 21, 2021

dmitshur added this to the Backlog milestone May 21, 2021

dmitshur added the NeedsFix The path to resolution is known, but the work has not been done. label May 21, 2021

FiloSottile changed the title ~~net/http/pprof: add note about security implications to the docs~~ net/http/pprof: assess and document security implications of the goroutines endpoint Jun 10, 2021

gopherbot added the compiler/runtime Issues related to the Go compiler and/or runtime. label Jun 13, 2023

mknyszek self-assigned this Jun 14, 2023

mknyszek modified the milestones: Backlog, Go1.22 Jun 16, 2023

net/http/pprof: assess and document security implications of the goroutines endpoint #46307

net/http/pprof: assess and document security implications of the goroutines endpoint #46307

FiloSottile commented May 21, 2021

FiloSottile commented Jun 10, 2021

net/http/pprof: assess and document security implications of the goroutines endpoint #46307

net/http/pprof: assess and document security implications of the goroutines endpoint #46307

Comments

FiloSottile commented May 21, 2021

FiloSottile commented Jun 10, 2021