guile

mirror/guile

Fork 0

mirror of https://git.savannah.gnu.org/git/guile.git synced 2025-04-30 20:00:19 +02:00

Commit graph

Author	SHA1	Message	Date
Mark H Weaver	402162cfcf	REPL Server: Guard against HTTP inter-protocol exploitation attacks. Reported by Christopher Allan Webber <cwebber@dustycloud.org> Co-authored-by: Ludovic Courtès <ludo@gnu.org> This commit adds protection to Guile's REPL servers against HTTP inter-protocol exploitation attacks, a scenario whereby an attacker can, via an HTML page, cause a web browser to send data to TCP servers listening on a loopback interface or private network. See <https://en.wikipedia.org/wiki/Inter-protocol_exploitation> and <https://www.jochentopf.com/hfpa/hfpa.pdf>, The HTML Form Protocol Attack (2001) by Tochen Topf <jochen@remote.org>. Here we add a procedure to 'before-read-hook' that looks for a possible HTTP request-line in the first line of input from the client socket. If present, the socket is drained and closed, and a loud warning is written to stderr (POSIX file descriptor 2). * module/system/repl/server.scm: Add 'maybe-check-for-http-request' to 'before-read-hook' when this module is loaded. (with-temporary-port-encoding, with-saved-port-line+column) (drain-input-and-close, permissive-http-request-line?) (check-for-http-request, guard-against-http-request) (maybe-check-for-http-request): New procedures. (serve-client): Use 'guard-against-http-request'. * module/system/repl/coop-server.scm (start-repl-client): Use 'guard-against-http-request'. * doc/ref/guile-invoke.texi (Command-line Options): In the description of the --listen option, make the security warning more prominent. Mention the new protection added here. Recommend using UNIX domain sockets for REPL servers. "a path to" => "the file name of".	2017-03-01 20:13:13 +01:00
Andy Wingo	d0d14f410d	Importing modules with #:select no longer grovels private bindings * module/ice-9/boot-9.scm (resolve-interface): Don't look in private interface for #:select bindings. Fixes #17418. * module/system/repl/coop-server.scm: Don't rely on bad #:select behavior. * NEWS: Add entry.	2016-06-21 16:01:50 +02:00
David Thompson	b0a3149955	Add cooperative REPL server module. Modified-by: Mark H Weaver <mhw@netris.org> * module/system/repl/coop-server.scm: New module. * module/system/repl/repl.scm (start-repl): Extract body to start-repl. (start-repl): New procedure. (run-repl): Extract body to run-repl. (run-repl): New procedure. * module/system/repl/server.scm (run-server): Extract body to run-server. (run-server): New procedure. * doc/ref/api-evaluation.texi (Cooperative REPL Servers): New node. * module/Makefile.am (SYSTEM_SOURCES): Add system/repl/coop-server.scm.	2014-02-12 11:26:22 -05:00

Author

SHA1

Message

Date

Mark H Weaver

402162cfcf

REPL Server: Guard against HTTP inter-protocol exploitation attacks.

Reported by Christopher Allan Webber <cwebber@dustycloud.org>
Co-authored-by: Ludovic Courtès <ludo@gnu.org>

This commit adds protection to Guile's REPL servers against HTTP
inter-protocol exploitation attacks, a scenario whereby an attacker can,
via an HTML page, cause a web browser to send data to TCP servers
listening on a loopback interface or private network.  See
<https://en.wikipedia.org/wiki/Inter-protocol_exploitation> and
<https://www.jochentopf.com/hfpa/hfpa.pdf>, The HTML Form Protocol
Attack (2001) by Tochen Topf <jochen@remote.org>.

Here we add a procedure to 'before-read-hook' that looks for a possible
HTTP request-line in the first line of input from the client socket.  If
present, the socket is drained and closed, and a loud warning is written
to stderr (POSIX file descriptor 2).

* module/system/repl/server.scm: Add 'maybe-check-for-http-request'
to 'before-read-hook' when this module is loaded.
(with-temporary-port-encoding, with-saved-port-line+column)
(drain-input-and-close, permissive-http-request-line?)
(check-for-http-request, guard-against-http-request)
(maybe-check-for-http-request): New procedures.
(serve-client): Use 'guard-against-http-request'.
* module/system/repl/coop-server.scm (start-repl-client): Use
'guard-against-http-request'.
* doc/ref/guile-invoke.texi (Command-line Options): In the description
of the --listen option, make the security warning more prominent.
Mention the new protection added here.  Recommend using UNIX domain
sockets for REPL servers.  "a path to" => "the file name of".

2017-03-01 20:13:13 +01:00

Andy Wingo

d0d14f410d

Importing modules with #:select no longer grovels private bindings

* module/ice-9/boot-9.scm (resolve-interface): Don't look in private
  interface for #:select bindings.  Fixes #17418.
* module/system/repl/coop-server.scm: Don't rely on bad #:select
  behavior.
* NEWS: Add entry.

2016-06-21 16:01:50 +02:00

David Thompson

b0a3149955

Add cooperative REPL server module.

Modified-by: Mark H Weaver <mhw@netris.org>

* module/system/repl/coop-server.scm: New module.

* module/system/repl/repl.scm (start-repl): Extract body to start-repl*.
  (start-repl*): New procedure.
  (run-repl): Extract body to run-repl*.
  (run-repl*): New procedure.

* module/system/repl/server.scm (run-server): Extract body to
  run-server*.
  (run-server*): New procedure.

* doc/ref/api-evaluation.texi (Cooperative REPL Servers): New node.

* module/Makefile.am (SYSTEM_SOURCES): Add system/repl/coop-server.scm.

2014-02-12 11:26:22 -05:00

3 commits