search

bassmanitram / actions-for-nautilus

An extension to the Gnome "Files" file manager that allows you to add arbitrary actions to the file selection context menu.
Apache License 2.0
165 stars 16 forks source link

[Security] Port remains open after webpage is closed #66

Open wparad opened 2 months ago

wparad commented 2 months ago

After the configuration page is closed, the port in which the configuration page is being hosted on is still open. This is a huge security vulnerability, how can we circumvent this?

bassmanitram commented 2 months ago

It shouldn't be happening... The 'beforeExit' event is supposed to trigger the killing of the server... Which testing in my context confirms. Can you tell me your setup so I can try and emulate it here.

On Mon, Jun 3, 2024, 18:53 Warren Parad @.***> wrote:

After the configuration page is closed, the port in which the configuration page is being hosted on is still open. This is a huge security vulnerability, how can we circumvent this?

— Reply to this email directly, view it on GitHub https://github.com/bassmanitram/actions-for-nautilus/issues/66, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADAKLWTU3E527LN42KSUJMDZFSNQTAVCNFSM6AAAAABIW4LZ42VHI2DSMVQWIX3LMV43ASLTON2WKOZSGMZTCNRSGY3TGMA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

wparad commented 2 months ago

What is supposed to kill the server. When I close the tab the server is of course still running, right?

The server starts and tab opens when I click the Actions For Nautilus Configurator from the XFCE applications menu. It runs this /usr/share/actions-for-nautilus-configurator/start-configurator.sh

This is on:

Is that enough information, or is there something else I should share?

bassmanitram commented 2 months ago

When you close the tab it should NOT be running

On Tue, Jun 4, 2024, 00:18 Warren Parad @.***> wrote:

What is supposed to kill the server. When I close the tab the server is of course still running, right?

The server starts and tab opens when I click the Actions For Nautilus Configurator from the XFCE applications menu. It runs this /usr/share/actions-for-nautilus-configurator/start-configurator.sh

This is on:

  • Xubuntu 24.04
  • Brave Browser

Is that enough information, or is there something else I should share?

— Reply to this email directly, view it on GitHub https://github.com/bassmanitram/actions-for-nautilus/issues/66#issuecomment-2146221854, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADAKLWUTX7XAFN3RSWCL5Z3ZFTTTNAVCNFSM6AAAAABIW4LZ42VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNBWGIZDCOBVGQ . You are receiving this because you commented.Message ID: @.***>

wparad commented 2 months ago

beforeExit is a nodejs event, not a javascript browser tab event isn't it? If it is, I can't find the documentation on that.

bassmanitram commented 2 months ago

I'm not at the code at the moment so I am probably quoting the wrong event,but in the editor JavaScript you will see the 'beforeWhatever' event handler that sends a message to the swrver to close. When I get time I'll get back in front of the code.

On Tue, Jun 4, 2024, 15:47 Warren Parad @.***> wrote:

beforeExit is a nodejs event, not a javascript browser tab event isn't it? If it is, I can't find the documentation on that.

— Reply to this email directly, view it on GitHub https://github.com/bassmanitram/actions-for-nautilus/issues/66#issuecomment-2147583709, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADAKLWQMCWCYRYLPLAFXB3DZFXAQVAVCNFSM6AAAAABIW4LZ42VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNBXGU4DGNZQHE . You are receiving this because you commented.Message ID: @.***>