These procedures were removed in Guile 2.2 by commit
fc7bd367ab (May 2011).
* libguile/socket.h (scm_inet_aton, scm_inet_ntoa): Remove.
* module/system/repl/server.scm (make-tcp-server-socket): Use
'inet-pton' instead of 'inet-aton'.
* doc/ref/web.texi (HTTP): Likewise in 'declare-header!' example.
* doc/ref/posix.texi (Network Address Conversion): Remove documentation
of 'inet-ntoa' and 'inet-aton'.
Reported by Christopher Allan Webber <cwebber@dustycloud.org>
Co-authored-by: Ludovic Courtès <ludo@gnu.org>
This commit adds protection to Guile's REPL servers against HTTP
inter-protocol exploitation attacks, a scenario whereby an attacker can,
via an HTML page, cause a web browser to send data to TCP servers
listening on a loopback interface or private network. See
<https://en.wikipedia.org/wiki/Inter-protocol_exploitation> and
<https://www.jochentopf.com/hfpa/hfpa.pdf>, The HTML Form Protocol
Attack (2001) by Tochen Topf <jochen@remote.org>.
Here we add a procedure to 'before-read-hook' that looks for a possible
HTTP request-line in the first line of input from the client socket. If
present, the socket is drained and closed, and a loud warning is written
to stderr (POSIX file descriptor 2).
* module/system/repl/server.scm: Add 'maybe-check-for-http-request'
to 'before-read-hook' when this module is loaded.
(with-temporary-port-encoding, with-saved-port-line+column)
(drain-input-and-close, permissive-http-request-line?)
(check-for-http-request, guard-against-http-request)
(maybe-check-for-http-request): New procedures.
(serve-client): Use 'guard-against-http-request'.
* module/system/repl/coop-server.scm (start-repl-client): Use
'guard-against-http-request'.
* doc/ref/guile-invoke.texi (Command-line Options): In the description
of the --listen option, make the security warning more prominent.
Mention the new protection added here. Recommend using UNIX domain
sockets for REPL servers. "a path to" => "the file name of".
* libguile/dynstack.h:
* libguile/dynstack.c (scm_dynstack_find_old_fluid_value): New
function.
* libguile/fluids.c (saved_dynamic_state_ref): New helper.
(scm_fluid_ref): Fix docstring.
(scm_fluid_ref_star): New function allowing access to previous values
for a fluid.
(scm_dynamic_state_ref): New internal function.
* libguile/fluids.h: Add scm_fluid_ref_star and scm_dynamic_state_ref.
* libguile/stacks.c (scm_stack_id): Adapt to %stacks not being a chain.
* libguile/throw.c (catch, throw_without_pre_unwind): Adapt to
%exception-handlers not being a chain.
* module/ice-9/boot-9.scm (catch, dispatch-exception): Instead of having
%exception-handlers be a chain, use fluid-ref* to access the chain
that is in place at the time the exception is thrown. Prevents
unintended undelimited capture of the current exception handler stack
by a delimited "catch".
(%start-stack): Similarly, don't be a chain.
* module/system/repl/debug.scm (frame->stack-vector):
* module/system/repl/error-handling.scm (call-with-error-handling):
* module/ice-9/save-stack.scm (save-stack): Adapt to %stacks not being a
chain.
* test-suite/tests/exceptions.test ("delimited exception handlers"): Add
tests.
* doc/ref/api-control.texi (Fluids and Dynamic States): Add docs.
* doc/ref/guile.texi: Add 2016 to user-visible copyright notice.
* module/ice-9/command-line.scm (version-etc): Bump 'copyright-year' to
2016.
* module/system/repl/common.scm (*version*): Add 2016 to the range of
copyright years.
* module/ice-9/command-line.scm (version-etc): Bump 'copyright-year' to
2015.
* module/system/repl/common.scm (*version*): Add 2015 to the range of
copyright years.
* module/system/repl/debug.scm (print-locals): Adapt to
frame-binding-ref change.
* module/system/vm/frame.scm (<binding>): Add `frame' field.
(available-bindings): Capture the frame.
(binding-ref, binding-set!): New functions, accessing a local variable
value directly from a frame.
(frame-binding-ref, frame-binding-set!): Remove. As these are very
low-level debugging interfaces introduced in 2.0, never documented,
and quite tied to the VM, we feel comfortable making this change.
(frame-call-representation): Adapt to available-bindings change.
(frame-environment, frame-object-binding): Adapt to binding-ref
interface change.
* doc/ref/vm.texi (Stack Layout): Mention that slots can be re-used.
Update disassembly in example.
* doc/ref/api-debug.texi (Frames): Remove documentation for
frame-local-ref, frame-local-set!, and frame-num-locals. Replace with
documentation for frame-bindings, binding accessors, and binding-ref /
binding-set!.
* libguile/frames.h (scm_frame_num_locals, scm_frame_local_ref)
(scm_frame_local_set_x): Remove. As long as we are changing the
interface in a backward-incompatible way, we might as well remove
these.
* libguile/frames.c (scm_frame_num_locals, scm_frame_local_ref)
(scm_frame_local_set_x, scm_init_frames_builtins, scm_init_frames):
Arrange to make frame-local-ref et al private to frames.scm.
* module/system/vm/frame.scm: Load scm_init_frames_builtins extensions.
(frame-instruction-pointer-or-primitive-procedure-name): New public
function.
(frame-binding-ref, frame-binding-set!): Allow binding objects as
vars.
* module/system/repl/debug.scm (print-locals): Pass binding directly to
frame-binding-ref.
* module/statprof.scm (sample-stack-procs, count-call): Use new
frame-instruction-pointer-or-primitive-procedure-name function.
* module/system/repl/debug.scm (frame->module): Remove. Has been broken
for a while, had no callers, and was calling frame-procedure. We can
revive again in a better way, like ice-9 local-eval.
* doc/ref/scheme-using.texi (Debug Commands):
* module/system/repl/command.scm (procedure): Remove REPL command.
Since there is a closure binding and we have improved the ,registers
output, this is no longer necessary and by removing it we remove
another bogus use of frame-procedure.
* module/system/repl/debug.scm (print-frame): Pass #:top-frame? #t for
the top frame.
* module/system/vm/frame.scm (available-bindings): Be permissive and
allow #:top-frame? #f even when the IP is at the start of the
function.
* libguile/frames.c (scm_frame_address, scm_frame_stack_pointer): Return
offsets instead of absolute pointers. This is robust in the presence
of stack relocation.
* module/system/repl/debug.scm (print-registers): Adapt to print sp and
fp as integers.
* module/system/repl/debug.scm (print-locals): Update to work with new
interface.
(frame->module): Update. Still doesn't work due to lack of
`program-module', though.
* module/system/vm/program.scm (make-binding, binding:name)
(binding:definition-offset, program-arity-bindings-for-ip): Remove
these.
* module/system/vm/frame.scm (<binding>): New type.
(available-bindings): Return a list of <binding> instances.
(frame-lookup-binding, frame-binding-set!, frame-binding-ref):
(frame-environment, frame-object-name): Adapt.
* libguile/gc.c (scm_oom_fn, scm_init_gc): Install an out-of-memory
handler that raises an unwind-only out-of-memory exception.
(scm_gc_warn_proc, scm_init_gc): Install a warning proc that tries to
print to the current warning port, if the current warning port is a
file port.
(scm_gc_after_nonlocal_exit): New interface. Should be called after a
nonlocal return to potentially collect memory; otherwise allocations
could try to expand again when they should collect.
* libguile/continuations.c (scm_i_make_continuation):
* libguile/eval.c (eval):
* libguile/throw.c (catch):
* libguile/vm.c (scm_call_n): Call scm_gc_after_nonlocal_exit after
nonlocal returns.
* libguile/throw.c (abort_to_prompt, throw_without_pre_unwind): Rework
to avoid allocating memory.
(scm_report_out_of_memory): New interface.
(scm_init_throw): Pre-allocate the arguments for stack-overflow and
out-of-memory errors.
* module/ice-9/boot-9.scm: Add an out-of-memory exception printer.
* module/system/repl/error-handling.scm (call-with-error-handling): Add
out-of-memory to the report-keys set.
* libguile/gc-malloc.c (scm_realloc): Call scm_report_out_of_memory if
realloc fails.
* libguile/error.h:
* libguile/error.c:
* libguile/deprecated.h:
* libguile/deprecated.c (scm_memory_error): Deprecate.
* test-suite/standalone/Makefile.am:
* test-suite/standalone/test-out-of-memory: New test case.
* module/system/repl/error-handling.scm (call-with-error-handling): Add
#:report-keys kwarg, so that unwind-only exceptions (stack-overflow in
particular) get reported.
* doc/ref/api-debug.texi (Pre-Unwind Debugging): Add documentation for
#:report-keys kwarg of call-with-error-handling.
(Stack Overflow): New subsubsection.
(Debug Options): Remove discussion of stack overflow.
Modified-by: Mark H Weaver <mhw@netris.org>
* module/system/repl/coop-server.scm: New module.
* module/system/repl/repl.scm (start-repl): Extract body to start-repl*.
(start-repl*): New procedure.
(run-repl): Extract body to run-repl*.
(run-repl*): New procedure.
* module/system/repl/server.scm (run-server): Extract body to
run-server*.
(run-server*): New procedure.
* doc/ref/api-evaluation.texi (Cooperative REPL Servers): New node.
* module/Makefile.am (SYSTEM_SOURCES): Add system/repl/coop-server.scm.
* module/system/repl/server.scm: Import (ice-9 match) and (srfi srfi-1).
(*open-sockets*): Add comment. This is now a list of pairs with a
'force-close' procedure in the cdr.
(close-socket!): Add comment noting that it is unsafe to call this
from another thread.
(add-open-socket!): Add 'force-close' argument, and put it in the cdr
of the '*open-sockets*' entry.
(stop-server-and-clients!): Use 'match'. Remove the first element
from *open-sockets* immediately. Call the 'force-close' procedure
instead of 'close-socket!'.
(errs-to-retry): New variable.
(run-server): Add a pipe, used in the 'force-close' procedure to
cleanly shut down the server. Put the server socket into non-blocking
mode. Use 'select' to monitor both the server socket and the pipe.
Don't call 'add-open-socket!' on the client-socket. Close the pipe
and the server socket cleanly when we're asked to shut down.
(serve-client): Call 'add-open-socket!' with a 'force-close' procedure
that cancels the thread. Set the thread cleanup handler to call
'close-socket!', instead of calling it in the main body.
* doc/ref/api-evaluation.texi (REPL Servers): Add a caveat to the manual
entry for 'stop-servers-and-clients!'.
* module/system/repl/server.scm (run-server): Remove case that handled
'interrupt' exceptions specially. It is no longer needed since
e6c8e6047e (REPL Server: Don't establish
a SIGINT handler.)
* doc/ref/guile.texi: Add 2014 to list of copyright years in @copying
section.
* module/ice-9/command-line.scm (version-etc): Bump 'copyright-year' to
2014.
* module/system/repl/common.scm (*version*): Add 2014 to the range of
copyright years.
* libguile/Makefile.am:
* libguile/vm-i-loader.c:
* libguile/vm-i-scheme.c:
* libguile/vm-i-system.c: Remove the old VM files, and the rules to
build the .i files.
* libguile/vm-engine.c:
* libguile/vm.c: Remove the old VM. Woot!
* libguile/_scm.h (SCM_OBJCODE_COOKIE, SCM_OBJCODE_ENDIANNESS_OFFSET)
(SCM_OBJCODE_WORD_SIZE_OFFSET): Remove.
* libguile/evalext.c (scm_self_evaluating_p): Remove objcode and program
cases.
* libguile/frames.c (scm_frame_num_locals, scm_frame_previous): Remove
program cases.
* libguile/gc.c (scm_i_tag_name): Remove objcode case.
* libguile/goops.c (scm_class_of, create_standard_classes): Remove
objcode and program cases.
* libguile/instructions.h:
* libguile/instructions.c (scm_instruction_list, scm_instruction_p)
(scm_instruction_length, scm_instruction_pops, scm_instruction_pushes)
(scm_instruction_to_opcode, scm_opcode_to_instruction): Remove old VM
code.
* libguile/objcodes.h:
* libguile/objcodes.c: Remove the objcode data type, and handling for
objcode files.
* libguile/print.c: Remove objcode and program printers.
* libguile/procprop.c: Remove program cases.
* libguile/procs.c:
* libguile/programs.h:
* libguile/programs.c: Remove old program code.
* libguile/smob.c: Remove objcodes include.
* libguile/snarf.h: Remove static program defines.
* libguile/stacks.c: Remove program case.
* libguile/tags.h: Remove program and objcode tc7s.
* module/ice-9/session.scm (procedure-arguments)
* module/language/tree-il/analyze.scm (validate-arity)
* module/statprof.scm (get-call-data, procedure=?)
* module/system/vm/frame.scm (frame-bindings)
(frame-call-representation): Remove old program cases.
* module/system/repl/debug.scm (frame->module): Add a FIXME.
* module/system/vm/instruction.scm: Remove old exports.
* module/system/vm/program.scm: Remove old program code.
* libguile/frames.c (scm_frame_source): Instead of assuming that
scm_frame_procedure is correct, use the IP to get the source.
(scm_frame_instruction_pointer): Return an absolute value instead of
assuming that slot 0 is correct. (It isn't, when preparing for a tail
call.)
* libguile/programs.h:
* libguile/programs.c (scm_find_source_for_addr): New internal helper.
* module/system/repl/debug.scm (print-registers): Readably print
absolute instruction pointers.
* module/system/vm/coverage.scm: Complete rewrite to use absolute IP's.
We can't assume that frame-procedure is cheap if it is correct, or
correct if it is cheap. Anyway using the address is better anyway.
(coverage-data->lcov): Disable per-function info temporarily.
(loaded-modules, module-procedures, closest-source-line)
(closed-over-procedures): Remove these. Instead of going from
procedures to source info, now we go from ELF image to source info.
* module/system/vm/debug.scm (debug-context-length): New interface.
* module/system/vm/program.scm (source-for-addr): New internal helper.
* module/system/repl/debug.scm (<debug>): Remove for-trap?. Backtraces
with RTL will always happen pre-retire on the top frame, source info
is pre-retire, and continuations will always have a source-marked
receive or receive-values or whatever with the right source marking,
so we can remove this complication.
(print-frame): Use frame-source.
(print-frames): Remove for-trap? kw.
* module/system/repl/command.scm (define-stack-command, backtrace)
(up, down, frame): Remove for-trap? introduced local, and its uses.
(repl-pop-continuation-resumer): Adapt to make-debug change.
* module/system/repl/error-handling.scm (call-with-error-handling):
Adapt to make-debug change.
* module/system/vm/frame.scm (frame-next-source): Remove. RTL sources
are pre-retire.
* module/system/vm/trap-state.scm (add-ephemeral-stepping-trap!): Adapt
to use frame-source. Still some work to do here.
* module/language/tree-il.scm (pre-order): Re-implement in terms of
pre-post-order, and rename from pre-order!.
* module/language/tree-il/primitives.scm (expand-primitives): Adapt to
pre-order change, and rename from expand-primitives!.
* module/language/tree-il/optimize.scm (optimize): Adapt to
expand-primitives! change, and rename from optimize!.
* module/language/tree-il/compile-glil.scm:
* module/system/repl/common.scm:
* test-suite/tests/cse.test:
* test-suite/tests/peval.test:
* test-suite/tests/tree-il.test: Adapt to expand-primitives and optimize
changes.
