From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: divoplade Newsgroups: gmane.lisp.guile.user Subject: Re: Guile web server example serving static files Date: Fri, 18 Sep 2020 07:56:04 +0200 Message-ID: References: <04e63ab3-93b7-a0fe-6db8-34f00e6098e0@posteo.de> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="23456"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Evolution 3.34.2 To: Zelphir Kaltstahl , Guile User Original-X-From: guile-user-bounces+guile-user=m.gmane-mx.org@gnu.org Fri Sep 18 07:56:53 2020 Return-path: Envelope-to: guile-user@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kJ9O9-000606-QA for guile-user@m.gmane-mx.org; Fri, 18 Sep 2020 07:56:53 +0200 Original-Received: from localhost ([::1]:35084 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kJ9O8-00031E-Nj for guile-user@m.gmane-mx.org; Fri, 18 Sep 2020 01:56:52 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:42784) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kJ9Nr-00030s-Hb for guile-user@gnu.org; Fri, 18 Sep 2020 01:56:35 -0400 Original-Received: from relay9-d.mail.gandi.net ([217.70.183.199]:39367) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kJ9No-0008Ih-EF for guile-user@gnu.org; Fri, 18 Sep 2020 01:56:34 -0400 X-Originating-IP: 86.194.83.229 Original-Received: from divoplade.home (lfbn-lyo-1-1007-229.w86-194.abo.wanadoo.fr [86.194.83.229]) (Authenticated sender: d@divoplade.fr) by relay9-d.mail.gandi.net (Postfix) with ESMTPSA id 795EFFF803; Fri, 18 Sep 2020 05:56:28 +0000 (UTC) In-Reply-To: <04e63ab3-93b7-a0fe-6db8-34f00e6098e0@posteo.de> Received-SPF: pass client-ip=217.70.183.199; envelope-from=d@divoplade.fr; helo=relay9-d.mail.gandi.net X-detected-operating-system: by eggs.gnu.org: First seen = 2020/09/18 01:37:23 X-ACL-Warn: Detected OS = Linux 3.11 and newer [fuzzy] X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guile-user@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: General Guile related discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guile-user-bounces+guile-user=m.gmane-mx.org@gnu.org Original-Sender: "guile-user" Xref: news.gmane.io gmane.lisp.guile.user:16920 Archived-At: Hello Zelphir, Le jeudi 17 septembre 2020 à 23:45 +0200, Zelphir Kaltstahl a écrit : > I finally managed to create an example for using Guile's web server > and > serving static files. A rather silly bug kept me for a few days from > making progress, but finally today I fixed it. > > I tried to implement some security checks about the path of the > requested static assets. If anyone wants to look at it and point out > issues with it, I will try to fix it, or you could make a pull > request. > If there are any other issues, it would also be great to know them : > ) > > Here is the code in my repository: > > https://notabug.org/ZelphirKaltstahl/guile-examples/src/65ba7cead2983f1ceb8aa2d4eedfe37734e5ca56/web-development/example-03-serve-static-assets > > I tried to comment most stuff, so that the code can be understood > more > easily. > > And here is a pointer to the path security stuff: > > https://notabug.org/ZelphirKaltstahl/guile-examples/src/65ba7cead2983f1ceb8aa2d4eedfe37734e5ca56/web-development/example-03-serve-static-assets/web-path-handling.scm#L50 As for why guile avoid reasoning about "paths", see https://www.gnu.org/prep/standards/standards.html#GNU-Manuals https://www.gnu.org/prep/standards/standards.html#GNU-Manuals: Please do not use the term “pathname” that is used in Unix documentation; use “file name” (two words) instead. We use the term “path” only for search paths, which are lists of directory names. Also, your functions "absolute-path" and "complex-path?" in path- handling.scm https://notabug.org/ZelphirKaltstahl/guile-examples/src/65ba7cead2983f1ceb8aa2d4eedfe37734e5ca56/web-development/example-03-serve-static-assets/path-handling.scm do not seem to me that they would work correctly when passed something starting with "../" (as opposed to containing "/../"). I think that with a little bit of work you could accept "../" in arguments and tweak path-join to go up (by discarding anything in path1 after the last '/' and go to the next part, if there is something to discard). Also I am not sure how it would remove inclusions of '/./' or leading './' in the name. The URI RFC (https://tools.ietf.org/html/rfc3986#section-5) describes an algorithm in section 5.2. Relative resolution that does the canonization of an URI relative to an absolute URI (you just need to ignore the scheme, authority, query and fragment parts and focus on the path). This is similar to canonicalization of file names, except for the \\ difficulty. In particular, see 5.2.4, Remove dot segments. Also, you should refrain from checking if a file exists, because it could be deleted between your call to file-exists? and when you actually open the file. Thus, passing the file-exists? test will not guarantee that the file will exist when you want to use it, and even less that you will be able to open it and read it. Finally, you don't need to check if a file name is "safe" at all. the file procedures do not interpret or substitute variables or ~ or `` (try it: change directory to /tmp and write to files named ~root, `pwd`, $PATH, '*', ... just be aware that you will have a hard time deleting them from bash!), and there is nothing special with files named as a series of dots. That's good, otherwise you would also need to check for '%' in mingw and whatever stuff microsoft invented to change the file name experience. Best regards, divoplade