💾 Archived View for station.martinrue.com › jo › d0226de68dfe45dcbc5b90b0dc8d147b captured on 2024-07-09 at 02:16:27. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2024-06-16)
-=-=-=-=-=-=-
Hey all! Thought yesterday I should check out station again and learned of this new nex protocol? I wrote a server for it and it works but I'm still a bit skeptical about whether or not it's safe. Anyway here it is
nex://diptera.casa/
9 months ago · 👍 clseibold, userfxnet
@clseibold yeah I'll definitely have to look up and test all the ways to prevent command injection. guess it's a nice learning moment · 9 months ago
@jo Ah, right, if you are using the "system()" function in C (or similar in other languages), of if you are just using bash, then you'll definitely need to make sure people can't inject shell code into the request (path). This is actually why I don't like things written in bash, or when programs call out to the shell like this, because it's very insecure. · 9 months ago
@clseibold Thanks! I've never written a server before and all I know is bash so I was a bit shocked to find that the setup I had going (read input; if input ends in / redirect to /path/to/input/index; otherwise output=/path/to/input; cat output) was shellshockable 😭 despite me having the newest bash. Don't know a lot about these things but I worked out a way to get rid of that vulnerability now. Luckily ../ or // is no issue at all. · 9 months ago
Cool! It should be pretty safe as long as you don't allow people to escape the root with, for example, "../" in the path. I know golang, which is what both my server and the reference nex server are written in, has this basically by default if you use the virtual filesystem (fs package) stuff (although, now that I'm writing a nex server+client for Windows XP, golang 1.10 and 1.11 don't have the fs package, lol).
I used my nex server to mostly host files, particularly whole documents that one would want to browse and read, like copies of stuff from bitsavers, and scripture. Public domain books, and stuff like that, could be good too, imo. · 9 months ago