From 3349e86c0af609875998251fa4b48e8bee3e7495 Mon Sep 17 00:00:00 2001
From: Percy Wegmann <percy@tailscale.com>
Date: Wed, 1 May 2024 14:38:01 -0500
Subject: [PATCH] drive: use secret token to authenticate access to file server
 on localhost

This prevents Mark-of-the-Web bypass attacks in case someone visits the
localhost WebDAV server directly.

Fixes tailscale/corp#19592

Signed-off-by: Percy Wegmann <percy@tailscale.com>
---
 drive/driveimpl/compositedav/compositedav.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drive/driveimpl/compositedav/compositedav.go b/drive/driveimpl/compositedav/compositedav.go
index c83293691..9e5a293ac 100644
--- a/drive/driveimpl/compositedav/compositedav.go
+++ b/drive/driveimpl/compositedav/compositedav.go
@@ -162,7 +162,7 @@ func (h *Handler) delegate(mpl int, pathComponents []string, w http.ResponseWrit
 
 	u, err := url.Parse(baseURL)
 	if err != nil {
-		h.logf("warning: parse base URL %s failed: %s", child.BaseURL, err)
+		h.logf("warning: parse base URL %s failed: %s", baseURL, err)
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}