Germinal v0.2.0 update
- 📧 Messages: 4
- 🗣️ Authors: 2
- 📅 First Message: 2020-06-14 02:06
- 📅 Last Message: 2020-06-15 11:01
1. Jason McBrayer (jmcbray (a) carcosa.net)
- 📅 Sent: 2020-06-14 02:06
- 📧 Message 1 of 4
Germinal update! I would like to announce the release of version 0.2 of my Common Lisp Gemini server, Germinal[1]. In this release: * Support for configuration by command-line or TOML config file. * Many, many bug fixes, many of which are thanks to Tobias Rautenkranz The most important of these bug fixes is a fix to a path-traversal bug, that could have allowed carefully constructed requests to read world-readable files from outside your Germinal document root. (There was code to catch path traversals before, but it was wrong, and only caught simple cases). If you are running Germinal, you are *highly* recommended to upgrade because of this bug. Also, write to me[2]; there can't be more than a couple people running this, and until Tobias started submitting pull requests, I thought I was the only one. => /germinal/ [1] Germinal home page on Gemini. => mailto:jmcbray+germinal at carcosa.net [2] Email me. The source is hosted on my own gittea instance[3], and I'm happy to accept patches either there, or by email (format with git-format-patch and/or git-send-email). => https://git.carcosa.net/jmcbray/germinal/ [3] Germinal gitea If you are a smug Lisp weenie, please be gentle. I'm a Lisp newbie whomst is trying to learn things by writing this. -- +-----------------------------------------------------------+ | Jason F. McBrayer jmcbray at carcosa.net | | If someone conquers a thousand times a thousand others in | | battle, and someone else conquers himself, the latter one | | is the greatest of all conquerors. --- The Dhammapada |
2. solderpunk (solderpunk (a) SDF.ORG)
- 📅 Sent: 2020-06-14 09:46
- 📧 Message 2 of 4
On Sat, Jun 13, 2020 at 10:06:39PM -0400, Jason McBrayer wrote: > The most important of these bug fixes is a fix to a path-traversal bug, > that could have allowed carefully constructed requests to read > world-readable files from outside your Germinal document root. (There > was code to catch path traversals before, but it was wrong, and only > caught simple cases). Path-traversal bugs are scary! Is it worth sharing the details of this so that other server authors can check for analogous bugs in their servers? Or was it highly specific to your programming language or server design? Cheers, Solderpunk
3. Jason McBrayer (jmcbray (a) carcosa.net)
- 📅 Sent: 2020-06-15 10:55
- 📧 Message 3 of 4
Sure. Originally, I took a very simplistic approach, just eating '../' whenever I saw it in a request. Unfortunately, it didn't handle a bare '..', which meant the parent directory of the document root was listable. Worse, you could construct a request like gemini://my.site/.../...//.../...//etc/passwd to get whatever you wanted, as long as it was locally world-readable. The fix normalizes all pathnames before looking for files, and it checks that the resulting path is under the document root. I pulled in a library to help with this, which I originally wanted to avoid, but pathname handling in Common Lisp is pretty weird, and I felt the library (ppath) was worth it. -- +----------------------------------------------------------------+ | Jason F. McBrayer jmcbray at carcosa.net | | The scalloped tatters of the King in Yellow must hide Yhtill | | forever. R.W. Chambers _The King in Yellow_ |
4. solderpunk (solderpunk (a) SDF.ORG)
- 📅 Sent: 2020-06-15 11:01
- 📧 Message 4 of 4
On Mon, Jun 15, 2020 at 06:55:33AM -0400, Jason McBrayer wrote: > Sure. Originally, I took a very simplistic approach, just eating '../' > whenever I saw it in a request. Unfortunately, it didn't handle a bare > '..', which meant the parent directory of the document root was > listable. Worse, you could construct a request like > gemini://my.site/.../...//.../...//etc/passwd to get whatever you > wanted, as long as it was locally world-readable. > > The fix normalizes all pathnames before looking for files, and it checks > that the resulting path is under the document root. I pulled in a > library to help with this, which I originally wanted to avoid, but > pathname handling in Common Lisp is pretty weird, and I felt the library > (ppath) was worth it. Thanks for sharing this! A good cautionary tale for people quickly throwing together servers. For what it's worth, if Molly Brown detects even a single ".." in a request URL anywhere it immediately returns: "50 Your directory traversal technique has been defeated!\r\n" without even consulting the filesystem. :) Just not worth the risk of trying to get it right, IMHO. Even then, I *still* explicitly check the resultant filesystem path is under the document root, and also explicitly check that it is not equal to the server access log or the TLS cert or key files (which should never inside the document root, but better safe than sorry!). Cheers, Solderpunk
---