💾 Archived View for gemi.dev › gemini-mailing-list › 000213.gmi captured on 2024-05-26 at 15:30:20. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-12-28)

-=-=-=-=-=-=-

Germinal v0.2.0 update

• 📧 Messages: 4
• 🗣️ Authors: 2
• 📅 First Message: 2020-06-14 02:06
• 📅 Last Message: 2020-06-15 11:01

1. Jason McBrayer (jmcbray (a) carcosa.net)

• 📅 Sent: 2020-06-14 02:06
• 📧 Message 1 of 4

Germinal update!

I would like to announce the release of version 0.2 of my Common Lisp
Gemini server, Germinal[1]. In this release:


	
Support for configuration by command-line or TOML config file.
	
Many, many bug fixes, many of which are thanks to Tobias Rautenkranz


The most important of these bug fixes is a fix to a path-traversal bug,
that could have allowed carefully constructed requests to read
world-readable files from outside your Germinal document root. (There
was code to catch path traversals before, but it was wrong, and only
caught simple cases). If you are running Germinal, you are *highly*
recommended to upgrade because of this bug. Also, write to me[2]; there
can't be more than a couple people running this, and until Tobias
started submitting pull requests, I thought I was the only one. 

=> /germinal/  [1] Germinal home page on Gemini.
=> mailto:jmcbray+germinal at carcosa.net    [2] Email me.

The source is hosted on my own gittea instance[3], and I'm happy to
accept patches either there, or by email (format with git-format-patch
and/or git-send-email).

=> https://git.carcosa.net/jmcbray/germinal/       [3] Germinal gitea

If you are a smug Lisp weenie, please be gentle. I'm a Lisp newbie
whomst is trying to learn things by writing this.

-- 
+-----------------------------------------------------------+  
| Jason F. McBrayer                    jmcbray at carcosa.net  |  
| If someone conquers a thousand times a thousand others in |  
| battle, and someone else conquers himself, the latter one |  
| is the greatest of all conquerors.  --- The Dhammapada    |

Link to individual message.

2. solderpunk (solderpunk (a) SDF.ORG)

• 📅 Sent: 2020-06-14 09:46
• 📧 Message 2 of 4

On Sat, Jun 13, 2020 at 10:06:39PM -0400, Jason McBrayer wrote:
 
> The most important of these bug fixes is a fix to a path-traversal bug,
> that could have allowed carefully constructed requests to read
> world-readable files from outside your Germinal document root. (There
> was code to catch path traversals before, but it was wrong, and only
> caught simple cases).

Path-traversal bugs are scary!  Is it worth sharing the details of this
so that other server authors can check for analogous bugs in their
servers?  Or was it highly specific to your programming language or
server design? 

Cheers,
Solderpunk

Link to individual message.

3. Jason McBrayer (jmcbray (a) carcosa.net)

• 📅 Sent: 2020-06-15 10:55
• 📧 Message 3 of 4

Sure. Originally, I took a very simplistic approach, just eating '../'
whenever I saw it in a request. Unfortunately, it didn't handle a bare
'..', which meant the parent directory of the document root was
listable. Worse, you could construct a request like
gemini://my.site/.../...//.../...//etc/passwd to get whatever you
wanted, as long as it was locally world-readable.

The fix normalizes all pathnames before looking for files, and it checks
that the resulting path is under the document root. I pulled in a
library to help with this, which I originally wanted to avoid, but
pathname handling in Common Lisp is pretty weird, and I felt the library
(ppath) was worth it.

--
+----------------------------------------------------------------+
| Jason F. McBrayer                         jmcbray at carcosa.net  |
| The scalloped tatters of the King in Yellow must hide Yhtill   |
| forever.                    R.W. Chambers _The King in Yellow_ |

Link to individual message.

4. solderpunk (solderpunk (a) SDF.ORG)

• 📅 Sent: 2020-06-15 11:01
• 📧 Message 4 of 4

On Mon, Jun 15, 2020 at 06:55:33AM -0400, Jason McBrayer wrote:
> Sure. Originally, I took a very simplistic approach, just eating '../'
> whenever I saw it in a request. Unfortunately, it didn't handle a bare
> '..', which meant the parent directory of the document root was
> listable. Worse, you could construct a request like
> gemini://my.site/.../...//.../...//etc/passwd to get whatever you
> wanted, as long as it was locally world-readable.
> 
> The fix normalizes all pathnames before looking for files, and it checks
> that the resulting path is under the document root. I pulled in a
> library to help with this, which I originally wanted to avoid, but
> pathname handling in Common Lisp is pretty weird, and I felt the library
> (ppath) was worth it.

Thanks for sharing this!  A good cautionary tale for people quickly
throwing together servers.

For what it's worth, if Molly Brown detects even a single ".." in a
request URL anywhere it immediately returns:

"50 Your directory traversal technique has been defeated!\r\n"

without even consulting the filesystem. :)  Just not worth the risk of
trying to get it right, IMHO.  Even then, I *still* explicitly check
the resultant filesystem path is under the document root, and also
explicitly check that it is not equal to the server access log or the
TLS cert or key files (which should never inside the document root,
but better safe than sorry!).

Cheers,
Solderpunk

Link to individual message.

---

Previous Thread: Draft spec changes for comments

Next Thread: [ANN] Git front-end for Gemini