mbutterick
/
pollen
3
3
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity

Labels Milestones

New Issue

Project server should only bind to localhost by default #143

Closed
opened 8 years ago by rrthomas · 7 comments
rrthomas commented 8 years ago (Migrated from github.com)

In the documentation you point out that the project server is insecure.

For the commonest case (wanting to test on machine running the project server) this could be largely mitigated by having it bind only to localhost.

Of course, it would then be useful to allow it to be reconfigured for other uses (classroom, collaboration &c.).

Is this hard or otherwise undesirable?

In the documentation you point out that the project server is insecure. For the commonest case (wanting to test on machine running the project server) this could be largely mitigated by having it bind only to localhost. Of course, it would then be useful to allow it to be reconfigured for other uses (classroom, collaboration &c.). Is this hard or otherwise undesirable?
mbutterick commented 8 years ago (Migrated from github.com)

You can expect that this will remain biased toward my view of the “commonest” case: I often like to run the project server and view the site on machines nearby (e.g., iPhone, virtualized Windows, etc)

That said, it’s easy to adjust the project server’s behavior with the #:listen-ip argument to restrict the server to localhost. I suppose there would be three choices:

  1. Introduce a new setup value to control this.

  2. Introduce a new switch for raco pollen start to control this.

  3. Both.

You can expect that this will remain biased toward my view of the “commonest” case: I often like to run the project server and view the site on machines nearby (e.g., iPhone, virtualized Windows, etc) That said, it’s easy to adjust the project server’s behavior with the [`#:listen-ip` argument](https://github.com/mbutterick/pollen/blob/master/pollen/private/project-server.rkt#L37) to restrict the server to `localhost`. I suppose there would be three choices: 1. Introduce a new `setup` value to control this. 2. Introduce a new switch for `raco pollen start` to control this. 3. Both.
mbutterick commented 8 years ago (Migrated from github.com)

Making a setup value seemed like overkill. If you do raco pollen start --local then the project server will be restricted to localhost.

Making a `setup` value seemed like overkill. If you do `raco pollen start --local` then the project server will be restricted to localhost.
rrthomas commented 8 years ago (Migrated from github.com)

Thanks for the switch and for documenting it.

However, it is the wrong way round: the server is insecure by default. Yes, this is documented, but that's not an excuse. Bugs in the server or elsewhere could cause the local user serious problems that are impossible if the server is listening only on a localhost address, and it's also easier, with this being the default behavior, to do it by mistake, e.g. with a typo.

Please think again!

Thanks for the switch and for documenting it. However, it is the wrong way round: the server is insecure by default. Yes, this is documented, but that's not an excuse. Bugs in the server *or elsewhere* could cause the local user serious problems that are impossible if the server is listening only on a localhost address, and it's also easier, with this being the default behavior, to do it by mistake, e.g. with a typo. Please think again!
mbutterick commented 8 years ago (Migrated from github.com)

Bugs in the server or elsewhere could cause the local user serious problems

What would be a common, practical case where this specific risk arises?

> Bugs in the server or elsewhere could cause the local user serious problems What would be a common, practical case where this specific risk arises?
rrthomas commented 8 years ago (Migrated from github.com)

I don't think that is the right way to think about security. Security flaws often involve uncommon and impractical cases.

However, I'm thinking of for example leaking a file in the same directory containing confidential information, or bugs in, say, racket, glibc and/or the kernel that allow a remote exploit. (In other words, an exploit to which one would be exposed if one were using the server entirely "properly". But again, I think that is something one should have to think and type to do, not think and type not to do.)

I don't think that is the right way to think about security. Security flaws often involve uncommon and impractical cases. However, I'm thinking of for example leaking a file in the same directory containing confidential information, or bugs in, say, racket, glibc and/or the kernel that allow a remote exploit. (In other words, an exploit to which one would be exposed if one were using the server entirely "properly". But again, I think that is something one should have to think and type to do, not think and type *not* to do.)
mbutterick commented 8 years ago (Migrated from github.com)

I appreciate your views. Perhaps I will revisit this issue in the future. For now, I’m satisfied with how it works.

I appreciate your views. Perhaps I will revisit this issue in the future. For now, I’m satisfied with how it works.
rrthomas commented 8 years ago (Migrated from github.com)

Thanks for listening!

Thanks for listening!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
master
dev-pygments3
dev-gang-render
dev-gh-actions
dev-poly-fix-201114
dev-output-files-201008
dev-nonsettable
dev-app
dev-fasl
dev-jobs-flag
dev-file-locking
dev-travis-config
dev-render-audit
fix-drp
meta-expr
candidate-v2.0
dev-top-inverter
dev-langify
dev-stylish-5
dev-stylish
v3.2
works
v3.1
v3.0
v2.2
v2.1
v2.0
v1.5
v1.4
v1.3
v1.2
v1.11
v1.1
v1.0
Labels
Apply labels
Clear labels
No items
No Label
Milestone
Set milestone
Clear milestone
No items
No Milestone
Projects
Set Project
Clear projects
No project
Assignees
Assign users
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: mbutterick/pollen#143
Write Preview
Loading…
Cancel
Save
There is no content yet.
Delete Branch '%!s(<nil>)'

Deleting a branch is permanent. It CANNOT be undone. Continue?

No
Yes