Closed geomaster closed 9 years ago
fukamachi
commented
9 years ago OH MY GOD! This must be a serious security bug of Clack. I'm fixing it right now.
Unfortunately, it won't be in time for Quicklisp September update. Use a reverse proxy for serving static files or the latest Clack until the next update.
Anyway, I appreciate your finding and reporting this.
fukamachi
commented
9 years ago Okay, has fixed now, I'm closing this. Feel free to reopen this if you still have some problems.
geomaster
commented
9 years ago Thanks for the prompt fix! I didn't realize you were the mastermind behind Clack as well. The CL community would have surely have had it very hard if you weren't around to develop all these stuff. Very impressive. :) Anyways, this wasn't that big of an issue because I was using Caveman2/Clack for a 127.0.0.1 server, but it still doesn't hurt to have it fixed. Thanks again, and keep it up the good work!
First, I am a Common Lisp newbie (just writing my first program in it ever!) so I'm not quite familiar with the ecosystem and have no idea if this is an issue with Caveman2 itself. I suppose it's not and it has something to do with Clack or even the underlying server (I have tested and this issue is present with both Wookie and Hunchentoot, FCGI doesn't work for me for some reason), but regardless of that I think that Caveman2 should be patched to disallow this behavior, at least by default. Let me demonstrate:
First, create a Caveman2 skeleton project and start it:
Now, send a malicious HTTP request:
As you can see, using the default Caveman2 configuration, I was able to see the contents of
/etc/passwdon my filesystem. If an issue needs to be opened with some upstream project, I'll be happy to.Btw, I was really happy to find Caveman2 and I think it's a great project—kudos to all the developers who made this possible. I apologize if this is a feature and not a bug, but I strongly feel that this should not be default behavior.