Default host to localhost when in development mode.

* Running Rack apps on 0.0.0.0 in development mode will allow malicious users on the local network (ex: Coffee Shop) to abuse or potentially exploit the app. Safer to default host to localhost when in development mode.
sinatra · Feb 10, 2013 · 0f9a959 · 0f9a959 · envygeeks · Feb 25, 2013
1 parent 189bce4
commit 0f9a959
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/lib/sinatra/base.rb b/lib/sinatra/base.rb
@@ -1690,7 +1690,7 @@ class << self
     set :run, false                       # start server via at-exit hook?
     set :running, false                   # is the built-in server running now?
     set :server, %w[http webrick]
-    set :bind, '0.0.0.0'
+    set :bind, Proc.new { development? ? 'localhost' : '0.0.0.0' }
     set :port, Integer(ENV['PORT'] || 4567)
 
     ruby_engine = defined?(RUBY_ENGINE) && RUBY_ENGINE

diff --git a/lib/sinatra/main.rb b/lib/sinatra/main.rb
@@ -14,7 +14,7 @@ class Application < Base
       require 'optparse'
       OptionParser.new { |op|
         op.on('-p port',   'set the port (default is 4567)')                { |val| set :port, Integer(val) }
-        op.on('-o addr',   'set the host (default is 0.0.0.0)')             { |val| set :bind, val }
+        op.on('-o addr',   "set the host (default is #{bind})")             { |val| set :bind, val }
         op.on('-e env',    'set the environment (default is development)')  { |val| set :environment, val.to_sym }
         op.on('-s server', 'specify rack server/handler (default is thin)') { |val| set :server, val }
         op.on('-x',        'turn on the mutex lock (default is off)')       {       set :lock, true }