goplay发生了什么事情?

huangapple go评论96阅读模式
英文:

What happened to goplay?

问题

goplay是一个曾经随go一起发布的实用程序,位于/misc/goplay目录下。然而,在go1.3版本中,它似乎已被移除。

在源代码库中,旧版本仍可在go1.3beta2中查看:go1.3beta2: misc/goplay/,如果在本地安装,它仍然可用。经过一番调查,我发现它在修订版本2daa4d89e0d9中被移除,原因是对代码执行的担忧。

虽然playground很好用,但似乎很难运行自己的本地实例,并且能够使用所有路径上的库。对于一些库,尤其是svgo,拥有类似goplay的实用程序非常有用。是否有一些新的实用程序来取代它?是否有一种官方的第三方实用程序可以达到相同的效果?

英文:

What happened to goplay? I see a lot of earlier references to a utility that used to ship with go at /misc/goplay. However, it seems this has been removed in go1.3

The old version is still viewable on the source repo as late as go1.3beta2: go1.3beta2: misc/goplay/, and works if you install it locally. Poking around a bit, I find that it was removed at revision 2daa4d89e0d9 citing concerns about code execution.

The playground is great, but it doesn't seem like it is easy to run your own local instance that will work with all of the libraries you have on path, and for some libraries, svgo in particular, it seems very useful to have a utility like goplay. Is there some new utility that is meant to supplant it? Is there a canonical choice of third party utility to achieve the same effect?

答案1

得分: 3

它的移除提交信息似乎非常直接。任何能够连接到goplay服务器的人都可以作为用户执行任意代码。

默认情况下,它监听在localhost上,这使得它容易受到机器上其他本地用户的攻击,但如果你将其配置为监听其他地址,它将允许远程代码执行。

你提到可以使用Go Playground上不可用的包作为一个好处,但这也是为什么goplay不太安全的原因:Playground可用的包集合是为了关闭攻击向量而选择的。

该代码仍然在存储库历史中可用,所以如果你想的话可以下载并编译它,但不建议这样做。对于本地开发,你可以通过教你喜欢的文本编辑器在按下快捷键或按钮时运行go run filename.go来获得更好的体验。

英文:

The commit message for its removal seems fairly straight forward. Anyone who could connect to the goplay server can execute arbitrary code as the user.

By default it listens on localhost, which makes it vulnerable to attacks from other local users on the machine, but if you configure it to listen on another address it will allow remote code execution.

You cite the ability to make use of packages not available on the Go Playground as a benefit, but this is also why goplay is less secure: the set of packages available to the Playground was chosen in order to close off attack vectors.

The code is still available in the repository history, so you can download and compile it if you want, but it is not recommended. For local development, you could probably get a better experience by teaching your favourite text editor to run go run filename.go in response to a shortcut or button press.

huangapple
  • 本文由 发表于 2014年6月24日 09:06:10
  • 转载请务必保留本文链接:https://go.coder-hub.com/24376865.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定