1
Fork 0
mirror of https://git.savannah.gnu.org/git/guile.git synced 2025-05-09 07:00:23 +02:00
guile/module
Mark H Weaver 402162cfcf REPL Server: Guard against HTTP inter-protocol exploitation attacks.
Reported by Christopher Allan Webber <cwebber@dustycloud.org>
Co-authored-by: Ludovic Courtès <ludo@gnu.org>

This commit adds protection to Guile's REPL servers against HTTP
inter-protocol exploitation attacks, a scenario whereby an attacker can,
via an HTML page, cause a web browser to send data to TCP servers
listening on a loopback interface or private network.  See
<https://en.wikipedia.org/wiki/Inter-protocol_exploitation> and
<https://www.jochentopf.com/hfpa/hfpa.pdf>, The HTML Form Protocol
Attack (2001) by Tochen Topf <jochen@remote.org>.

Here we add a procedure to 'before-read-hook' that looks for a possible
HTTP request-line in the first line of input from the client socket.  If
present, the socket is drained and closed, and a loud warning is written
to stderr (POSIX file descriptor 2).

* module/system/repl/server.scm: Add 'maybe-check-for-http-request'
to 'before-read-hook' when this module is loaded.
(with-temporary-port-encoding, with-saved-port-line+column)
(drain-input-and-close, permissive-http-request-line?)
(check-for-http-request, guard-against-http-request)
(maybe-check-for-http-request): New procedures.
(serve-client): Use 'guard-against-http-request'.
* module/system/repl/coop-server.scm (start-repl-client): Use
'guard-against-http-request'.
* doc/ref/guile-invoke.texi (Command-line Options): In the description
of the --listen option, make the security warning more prominent.
Mention the new protection added here.  Recommend using UNIX domain
sockets for REPL servers.  "a path to" => "the file name of".
2017-03-01 20:13:13 +01:00
..
ice-9 Favor docstrings for describing the purpose of functions. 2017-03-01 10:09:38 +01:00
language Fix guild compile --to=cps / --from=cps 2017-02-23 11:37:44 +01:00
oop Fix class slot allocation since GOOPS rewrite 2017-03-01 15:37:05 +01:00
rnrs Flush when getting string from r6rs string output port 2017-03-01 14:26:11 +01:00
scripts Wire up `guild compile -O0 foo.scm' 2015-10-22 17:44:17 +00:00
srfi SRFI-18 mutexes are not recursive 2016-11-05 10:30:54 +01:00
sxml Remove duplicate definitions of call/ec' and let/ec'. 2013-04-06 15:40:19 +02:00
system REPL Server: Guard against HTTP inter-protocol exploitation attacks. 2017-03-01 20:13:13 +01:00
texinfo texinfo: Remove unnecessary (oop goops) dependency. 2017-03-01 19:28:04 +01:00
web http: Do not use 'eq?' to compare characters in parse-request-uri. 2017-03-01 19:50:37 +01:00
Makefile.am Add handle-interrupts inst and compiler pass 2016-11-16 22:55:45 +01:00
rnrs.scm Add R6RS bytevector->string, string->bytevector 2016-06-21 11:29:14 +02:00
statprof.scm Update statprof documentation; deprecate `with-statprof' 2016-02-01 15:12:36 +01:00
texinfo.scm texinfo: fix @url{@@} parsing 2014-11-09 15:56:33 +00:00