Don't listen to 0.0.0.0 by default for security reasons. (#22077)

A developer might start emrun without thinking about the --hostname setting. So he might expose sensible data on the webserver to the LAN or to the Internet. It might even happen, that a vulnerable Emsdk version becomes publicly reachable. Instead use localhost (127.0.0.1) by default, which is usually sufficient for development.
emscripten-core · Sep 27, 2024 · 7b0fec6 · 7b0fec6
1 parent f508b43
commit 7b0fec6
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 3 deletions.
diff --git a/ChangeLog.md b/ChangeLog.md
@@ -29,6 +29,8 @@ See docs/process.md for more on how version tagging works.
 - The number of arguments passed to Embind function calls is now only verified
   with ASSERTIONS enabled. (#22591)
 - Optional arguments can now be omitted from Embind function calls. (#22591)
+- emrun now listens to localhost only by default.
+  Configure old behaviour by passing `--hostname 0.0.0.0` (#22077)
 
 3.1.67 - 09/17/24
 -----------------

diff --git a/emrun.py b/emrun.py
@@ -84,9 +84,9 @@
 processname_killed_atexit = ""
 
 # Using "0.0.0.0" means "all interfaces", which should allow connecting to this
-# server via LAN addresses. Using "localhost" should allow only connecting from
-# local computer.
-default_webserver_hostname = '0.0.0.0'
+# server via LAN or public Internet addresses, which might be a security risk.
+# Using "localhost" should allow only connecting from local computer.
+default_webserver_hostname = 'localhost'
 
 # If user does not specify a --port parameter, this port is used to launch the
 # server.