Use of net/http serve function that has no support for setting timeouts
247 fmt.Println("GoAdmin web install program start.")
248 sc <- struct{}{}
249
250 if err := http.Serve(l, nil); err != nil {251 log.Fatal("ListenAndServe: ", err)
252 }
253 fmt.Println("GoAdmin web install program start.")
Description
HTTP timeouts are necessary to expire inactive connections and failing to do so might make the application vulnerable to attacks like slowloris which work by sending data very slow, which in case of no timeout will keep the connection active eventually leading to a denial-of-service (DoS) attack.
Bad practice
package main
import (
"fmt"
"time"
"net/http"
)
func main() {
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "Hello, %s!", r.URL.Path[1:])
})
err := http.ListenAndServe(":1234", nil)
if err != nil {
panic(err)
}
}
Recommended
package main
import (
"fmt"
"time"
"net/http"
)
func main() {
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "Hello, %s!", r.URL.Path[1:])
})
server := &http.Server{
Addr: ":1234",
ReadHeaderTimeout: 3 * time.Second,
}
err := server.ListenAndServe()
if err != nil {
panic(err)
}
}