drive: use secret token to authenticate access to file server on localhost

This prevents Mark-of-the-Web bypass attacks in case someone visits the
localhost WebDAV server directly.

Fixes tailscale/corp#19592

Signed-off-by: Percy Wegmann <percy@tailscale.com>

drive/driveimpl/compositedav/compositedav.go

@@ -162,7 +162,7 @@ func (h *Handler) delegate(mpl int, pathComponents []string, w http.ResponseWrit
 
 	u, err := url.Parse(baseURL)
 	if err != nil {
-		h.logf("warning: parse base URL %s failed: %s", child.BaseURL, err)
+		h.logf("warning: parse base URL %s failed: %s", baseURL, err)
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}