From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Arne Babenhauserheide Newsgroups: gmane.lisp.guile.devel,gmane.lisp.guile.user Subject: Re: Guile security vulnerability w/ listening on localhost + port (with fix) Date: Sun, 16 Oct 2016 21:51:27 +0200 Message-ID: <871szgvzr4.fsf@web.de> References: <87k2dfc7dd.fsf@dustycloud.org> <20161014215551.GA31883@lizzie.io> <87lgxo9vx8.fsf@dustycloud.org> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Trace: blaine.gmane.org 1476647540 27193 195.159.176.226 (16 Oct 2016 19:52:20 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Sun, 16 Oct 2016 19:52:20 +0000 (UTC) User-Agent: mu4e 0.9.16; emacs 24.5.1 Cc: guile-user@gnu.org, guile-devel@gnu.org To: Christopher Allan Webber Original-X-From: guile-devel-bounces+guile-devel=m.gmane.org@gnu.org Sun Oct 16 21:52:16 2016 Return-path: Envelope-to: guile-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bvrTZ-0005CX-Pu for guile-devel@m.gmane.org; Sun, 16 Oct 2016 21:52:05 +0200 Original-Received: from localhost ([::1]:57604 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bvrTb-00052s-Uv for guile-devel@m.gmane.org; Sun, 16 Oct 2016 15:52:07 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:50820) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bvrTI-00051W-1u for guile-devel@gnu.org; Sun, 16 Oct 2016 15:51:49 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bvrTE-00018X-5u for guile-devel@gnu.org; Sun, 16 Oct 2016 15:51:48 -0400 Original-Received: from mout.web.de ([212.227.17.11]:62978) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1bvrTD-00017y-S6; Sun, 16 Oct 2016 15:51:44 -0400 Original-Received: from fluss ([85.212.19.162]) by smtp.web.de (mrweb101) with ESMTPSA (Nemesis) id 0M9ojk-1c6t2201fs-00B6fw; Sun, 16 Oct 2016 21:51:30 +0200 In-reply-to: <87lgxo9vx8.fsf@dustycloud.org> X-Provags-ID: V03:K0:LZvH1Dqu7pl+ptse7YxkolokQRc6BgZIGa+UfkiS5fXVojgkUaS BT4khOMcsV+zbCHqPZYPrG0gsHHdoDGM0VxRaUvDmRAQ5JI6soc4SlGfsw34pQwcDztmFUV NDktKI4NUdnrl8kDiQX8DzSutW5UdGIwu8yAwOjWfA9JhzLmQMuvg/UeQykCeoyRAzvHZyF nmzKR7+DRyxgTt2FdTrJw== X-UI-Out-Filterresults: notjunk:1;V01:K0:QWv4Edxb/gc=:/N8QhwCVClpoJVQFjYQNYE HodD7b2G/HpHK7Emow87i54t/GBRXpWB8c4CAzLe8q4McrGAfEAirPSztMsaPxNEGa5xf7xLl xEyT+ohhyaIXSLCQ9LjX0x4Q7YHemU7UN0LxCEUFFdKWut46CUMb/3RaZgrFI39lOpD7YrGDB oWE4KBtkjoMjfTom5f6j/EzGafz0RdGp5z1d6hsMe7hf9CvQaXO3TqCkBK5WW44vGWQdiEIqQ y3wwJHeW1WMBZRwD/CTC1xMgHgAaOrGq/THWeZ8lMSwFKWM0L07WQnVA8+zY/fJYiHPoyWjBd P2srebCeonHv0s9w9m5Hva2wMQyK/K+gsJHes8HOt+kwxaQuyejkZurVRLn+zfG6HbFBRHTKU 8/QUi1gmdnrrp/ajYJYYMc7PLki3L3D+OihZVxajLdkHzB6zBT5HTLQbdDuORxbibXYPAOIRJ bpn8y4omgp+7DXPIUislg8Z90IOHHmMOkx/ih9QTCUgwKgH4VMsWzdxEKhAEzaxBpk/jX085D mTRatMxsOOL3Mc7SaBpL5q0WY/OqvHPfTTvYX3yWMf1ZIQPxufL9LcBlbuWC849zb/QFlSe+S VuksEclhDqPmWZhfd176BwJ8qeJKv4+8a0t2t3l95VZF+IY5zT+lKGal5k0AyE0WtZPSI4P8c Vq0wmnaEGkaknFH2WqcsV0mulCj7Th/bqoTezEul4nvOkW31ysco5s297g9+2rsNqFgcNTYH/ b7Khm/Nx7IJxKPxWlgGBaRF2CNGDISHe/rh0dupNX5nU0xJpvhlhjpboxOY= X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 212.227.17.11 X-BeenThere: guile-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Developers list for Guile, the GNU extensibility library" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guile-devel-bounces+guile-devel=m.gmane.org@gnu.org Original-Sender: "guile-devel" Xref: news.gmane.org gmane.lisp.guile.devel:18723 gmane.lisp.guile.user:12955 Archived-At: --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Christopher Allan Webber writes: > browsers do and don't allow, but I'm stunned that a browser will let a > request from some http://foo.example/ to http://localhost:37146/, even > for just a GET. It seems like there are all sorts of daemons you can > exploit that way. This can be pretty useful for embedding an iframe with a local service (I do that for babcom[1]: Decentralized comments over Freenet, sadly still pretty slow, because I=E2=80=99m using an in-Freenet system for that which wasn=E2=80=99t optimized for the usecase). On the downside, companies use the same methods to connect local services with playback-restrictions (DRM) which aren=E2=80=99t easily doabl= e via the web alone. Likely this is the reason why it=E2=80=99s still possible, t= hough I=E2=80=99d wish it were the other way round (possible for the good usages,= not possible for the problematic-but-profitable ones)=E2=80=A6 [1]: http://www.draketo.de/proj/freecom/ Best wishes, Arne =2D-=20 Unpolitisch sein hei=C3=9Ft politisch sein ohne es zu merken --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJYA9o/AAoJEBPvjUUkA8PreG8QAIC/tlmiyp7oc8bHW4nRM1c5 sPCQXFk9DblCNTlGVqcc3uoZAA9s9onT3GycTIMElCxUFO1Yyycm0D6AsgdXtBVW 7b/fiIyg9anp42WPzobh4s9l6sQmB9eALFUkZJuPwbQ0WAcOHSxG36iAxmsPIzFR 8pN4xQehiiuUwH6AKtpGhtE3c2l6QzVwsuvCM/Evi+vDaBChWtzUTxrw5rkc5DeK aj8mMdBnf+CrXkfGPGa6Kicgifde3srEATMVtorsoq8gigw+MAf4JNuY3fPV98Y0 1cw30QNDoqkJhK190iAn2HjL2kgrV+DQJ4nZNPvx2MZ4BrQRHVbtd+UdoyHOuLjp PJK7ncSzY3KR94bJ387NKzF3c3GDUzIF2zz9CsFJGQyN0Xp0DWyWj3loZNZSC4L+ LqMeE+fNgtwImde5TZsQ0YfAFlr0TJ3fMzwwkY8ksh61j6a5UI5fkkfKVivJ/C2j qwFcN7nD+izDSih8AmtFinnMYQX7Ximi8IDGYVIAwBR/3FGzT3ureFKS5QDWGn9P 2HnL5Vc5oEuA1r8OlORriF8nmdjAL3iQ8JO++vCZCiPD6dZB6mzbgPlw1hm+Y51x g2wFThPLzu4qB1wDSzw39gS5MYB0KSvnh/aPoQx1ZdtTpxQLGGuWpnxD8XohypbR Y5FmrM9iPebrnNUAF7wQ =wmAD -----END PGP SIGNATURE----- --=-=-=--