Reported by Christopher Allan Webber <cwebber@dustycloud.org>
Co-authored-by: Ludovic Courtès <ludo@gnu.org>
This commit adds protection to Guile's REPL servers against HTTP
inter-protocol exploitation attacks, a scenario whereby an attacker can,
via an HTML page, cause a web browser to send data to TCP servers
listening on a loopback interface or private network. See
<https://en.wikipedia.org/wiki/Inter-protocol_exploitation> and
<https://www.jochentopf.com/hfpa/hfpa.pdf>, The HTML Form Protocol
Attack (2001) by Tochen Topf <jochen@remote.org>.
Here we add a procedure to 'before-read-hook' that looks for a possible
HTTP request-line in the first line of input from the client socket. If
present, the socket is drained and closed, and a loud warning is written
to stderr (POSIX file descriptor 2).
* module/system/repl/server.scm: Add 'maybe-check-for-http-request'
to 'before-read-hook' when this module is loaded.
(with-temporary-port-encoding, with-saved-port-line+column)
(drain-input-and-close, permissive-http-request-line?)
(check-for-http-request, guard-against-http-request)
(maybe-check-for-http-request): New procedures.
(serve-client): Use 'guard-against-http-request'.
* module/system/repl/coop-server.scm (start-repl-client): Use
'guard-against-http-request'.
* doc/ref/guile-invoke.texi (Command-line Options): In the description
of the --listen option, make the security warning more prominent.
Mention the new protection added here. Recommend using UNIX domain
sockets for REPL servers. "a path to" => "the file name of".
* doc/ref/guile.texi: Add 2016 to user-visible copyright notice.
* module/ice-9/command-line.scm (version-etc): Bump 'copyright-year' to
2016.
* module/system/repl/common.scm (*version*): Add 2016 to the range of
copyright years.
* module/ice-9/command-line.scm (version-etc): Bump 'copyright-year' to
2015.
* module/system/repl/common.scm (*version*): Add 2015 to the range of
copyright years.
Modified-by: Mark H Weaver <mhw@netris.org>
* module/system/repl/coop-server.scm: New module.
* module/system/repl/repl.scm (start-repl): Extract body to start-repl*.
(start-repl*): New procedure.
(run-repl): Extract body to run-repl*.
(run-repl*): New procedure.
* module/system/repl/server.scm (run-server): Extract body to
run-server*.
(run-server*): New procedure.
* doc/ref/api-evaluation.texi (Cooperative REPL Servers): New node.
* module/Makefile.am (SYSTEM_SOURCES): Add system/repl/coop-server.scm.
* module/system/repl/server.scm: Import (ice-9 match) and (srfi srfi-1).
(*open-sockets*): Add comment. This is now a list of pairs with a
'force-close' procedure in the cdr.
(close-socket!): Add comment noting that it is unsafe to call this
from another thread.
(add-open-socket!): Add 'force-close' argument, and put it in the cdr
of the '*open-sockets*' entry.
(stop-server-and-clients!): Use 'match'. Remove the first element
from *open-sockets* immediately. Call the 'force-close' procedure
instead of 'close-socket!'.
(errs-to-retry): New variable.
(run-server): Add a pipe, used in the 'force-close' procedure to
cleanly shut down the server. Put the server socket into non-blocking
mode. Use 'select' to monitor both the server socket and the pipe.
Don't call 'add-open-socket!' on the client-socket. Close the pipe
and the server socket cleanly when we're asked to shut down.
(serve-client): Call 'add-open-socket!' with a 'force-close' procedure
that cancels the thread. Set the thread cleanup handler to call
'close-socket!', instead of calling it in the main body.
* doc/ref/api-evaluation.texi (REPL Servers): Add a caveat to the manual
entry for 'stop-servers-and-clients!'.
* module/system/repl/server.scm (run-server): Remove case that handled
'interrupt' exceptions specially. It is no longer needed since
e6c8e6047e (REPL Server: Don't establish
a SIGINT handler.)
* doc/ref/guile.texi: Add 2014 to list of copyright years in @copying
section.
* module/ice-9/command-line.scm (version-etc): Bump 'copyright-year' to
2014.
* module/system/repl/common.scm (*version*): Add 2014 to the range of
copyright years.
* module/system/repl/common.scm: Add not only 2013, but also 2012 to the
copyright notice at the top of the file, since the file was changed in
2012.
(*version*): Bump copyright year to 2013 in REPL greeting.
* module/ice-9/boot-9.scm (current-language): New parameter.
* module/system/base/language.scm (*current-language*): Pull fluid from
parameter.
(current-language): Now a re-exported parameter.
* doc/ref/compiler.texi: Update reference from *current-language* fluid
to current-language parameter.
* module/system/base/compile.scm (compile-and-load):
* module/ice-9/top-repl.scm (top-repl): Default to the current language,
not to Scheme.
* module/ice-9/eval-string.scm:
* module/system/base/language.scm:
* module/system/repl/command.scm:
* module/system/repl/repl.scm: Update to use current-language parameter
and parameterize.
* module/system/repl/command.scm (language): Set the
*current-language*.
* module/system/repl/repl.scm (start-repl): Create a new dynamic scope
for *current-language*.
* module/system/repl/common.scm (make-repl): Fix to accept language
objects in addition to symbols. Fixes http://debbugs.gnu.org/9857.
Thanks to Tristan Colgate for the report.
* module/system/repl/command.scm (time): Use the high-precision timers
instead of stime(2). Changes the output format of `,time' too;
perhaps there is a better way.
* module/system/repl/server.scm (run-server): Ignore SIGPIPE when we run
a server, as otherwise a rudely disconnected client could cause the
server to quit. Thanks to John Proctor for the report, and Detlev
Zundel for the debugging.
* module/language/objcode/spec.scm (decompile-value): Don't assume that
`error' will handle format strings appropriately.
* module/system/repl/command.scm (disassemble): A more human error when
you disassemble a non-procedure.
Bug reported by Andrew Horton.
* module/system/repl/error-handling.scm (call-with-error-handling):
Do _not_ enter the debugger if the thrown key is in `pass-keys'.
Previously, for example, (throw 'quit) entered the debugger when run
from the REPL, despite the fact that 'quit is in `pass-keys'.
* module/system/repl/command.scm:
* module/system/repl/debug.scm (terminal-width): Move terminal-width
here, make it thread-local, and export it.
(print-locals, print-frame, print-frames): Default width to
terminal-width.
* module/system/repl/error-handling.scm (call-with-error-handling): Add
`report' and `backtrace' on-error handlers.
* module/system/repl/common.scm (repl-default-options): Add on-error
REPL option, defaulting to `debug', but which may be changed.
* module/system/repl/repl.scm (run-repl): Pass the #:on-error REPL
option to call-with-error-handling.
* module/system/repl/command.scm (terminal-width): New parameter that
will use the true terminal width if unset.
(backtrace, locals): Default to (terminal-width).
(width): Simplify.
This meta-command allows one to set the default number of columns
that output from ,backtrace and ,locals shall occupy.
* doc/ref/scheme-using.texi (Debug Commands): document ,width
* module/system/repl/command.scm (*width*): new var
(backtrace, locals): use *width* in optarg
(width): new meta-command
* module/system/repl/repl.scm (read-comment, read-scheme-line-comment)
(read-scheme-datum-comment): New helpers.
(meta-reader): Take a language instead of a reader. If we have a
nonwhitespace char, first check to see that it's a comment, and if so,
read it off and loop.
(prompting-meta-read): Call meta-reader with the lang.
* module/system/repl/repl.scm (flush-leading-whitespace): Rename from
next-char.
(meta-reader): Use flush-leading-whitespace.
(run-repl): Use flush-to-newline after the evaluation, which seems to
be the same as what we did before.
* module/system/repl/repl.scm (flush-all-input): New helper.
(prompting-meta-read): Flush all input on a read error, as we could be
within some expression or a string or something.
* module/system/repl/error-handling.scm (error-string): Just use
print-exception instead of rolling our own printer.
(call-with-error-handling): Simplify.
* module/system/repl/error-handling.scm (display-syntax-error)
(error-string): Until we get the exception-printing patch merged in,
copy display-syntax-error into error-handling so that we avoid
display-error. Fixes bug 32365.
* module/system/repl/command.scm (warranty, copying, version): Use
`define-meta-command' to define these procedures, so they are entered
into the *command-infos* table.
Besides allowing user-defined meta-commands, this change also refactors
the meta-command machinery to split reading a command's arguments from
the procedure actually implementing it, and hence allows nesting
meta-commands. As an example of such a command, ",in" is added as a new
meta-command.
* module/system/repl/command.scm: Export `define-meta-command'.
(*command-module*): Replaced by the hash table `*command-infos*'.
(command-info, make-command-info, command-info-procedure)
(command-info-arguments-reader): New procedures, encapsulating the
information about a meta-command.
(command-procedure): Adapted to use the `command-info' lookup
procedure.
(read-command-arguments): New auxiliary procedure invoking a command's
argument reader procedure.
(meta-command): Adapted to the split of reading arguments and
executing a command.
(add-meta-command!): New auxiliary procedure, registers a meta
command's procedure and argument reader into `*command-infos* and
`*command-table*.
(define-meta-command): Extended to allow specification of the command's
category; split the argument reader and actual command procedure.
(guile:apropos, guile:load, guile:compile-file, guile:gc): Remove these
aliases, they are unnecessary as we now use a hash table instead of the
module to store the commands.
(in): New meta-command, which evaluates an expression, or alternatively
executes another meta-command, in the context of a specific module.
* doc/ref/scheme-using.texi (Module Commands): Document the `in'
meta-command.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Fixes bug in repl meta-commands after activating readline, which changes
the current input port.
* module/system/repl/common.scm (<repl>): Remove inport and outport
fields.
(make-repl): Adapt.
(repl-read, repl-print): Just read and write to the current ports.
* module/system/repl/repl.scm (meta-reader): Meta-read from the current
input port.
* module/system/repl/command.scm (read-command, define-meta-command):
Read from the current input port.
* module/system/repl/repl.scm (display-syntax-error): New helper,
displays a syntax error.
(abort-on-error, run-repl): Use it.
* libguile/throw.c (handler_message): Re-code the same thing in C.
* module/system/repl/debug.scm (print-frame): Add #:next-source? arg,
for when print-frame should use frame-next-source instead of
frame-source.
(print-frames): Add #:for-trap? arg. If true, the 0th frame should be
printed with frame-next-source.
* module/system/repl/command.scm (define-stack-command): Introduce
for-trap? into the lexical env.
(backtrace, up, down, frame): Update to do the right thing regarding
#:for-trap?.
* module/language/tree-il/analyze.scm (format-analysis): Don't warn on
non-literal format string if the format string is a lexical ref to a
variable named "fmt". A slight hack, but effective :)
* module/system/repl/command.scm (display-stat): Rename the format
string to "fmt".
