Re: [racket-users] Racket Package Server Security Vulnerabilities

2015-09-24 Thread Michael Wilber 
(sorry Sam, forgot to Cc list)

Thank you for disclosing these vulnerabilities! Responsible disclosure
helps everyone.

Sam Tobin-Hochstadt  writes:
> * Check any packages you have uploaded to the site, to ensure that no
> unexpected changes have been made to them.

Is package signing on Racket's roadmap? The only way to protect against
these kinds of attacks is to have clients verify package signatures.
Every major Linux package manager now does this. I think it's at least
worth seriously considering.

One question: If an attacker was able to access the server under the
privileges of the package website, what's stopping them from just
silently uploading a change and then removing that entry from the
"Package Changes" list?

-- 
You received this message because you are subscribed to the Google Groups 
"Racket Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to racket-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [racket-users] Sending RESTful Commands using Racket

2015-06-17 Thread Michael Wilber 
If you're on linux, one dirty trick you could try is to start up a local
web server like netcat to just listen on the HTTP port and show you
the request that's happening:

nc -l -p 80

Then, point Curl and your Racket script to localhost and compare the
request sent by each.

bruc...@gmail.com writes:
 John,

 Thank you so much. That solved the problem of controlling the lights. 
 However, I still can't figure out how to get at the response from the Hue 
 Bridge. I should be receiving:

 [
   {success:{/lights/1/state/on:true}},
   {success:{/lights/1/state/bri:170}},
   {success:{/lights/1/state/ct:500}}
 ]

 I'm having the same problem when I use GET to inquire about the state of the 
 lights.

 My best,
 Bruce

 On Wednesday, June 17, 2015 at 2:50:36 PM UTC-4, johnbclements wrote:
  On Jun 17, 2015, at 11:38 AM, Bruce wrote:
 
  Thanks so much; however, I'm still having trouble getting the lights to 
  respond. I had to alter your example somewhat, because Racket was 
  complaining about an in-string: contract violation. The following seems 
  to work:

 Oops forgot to cc: group:

 Going back to your original message, it appears that the data was encoded as 
 JSON, not using a urlencoding (that would make sense for a GET, but not for 
 a PUT or POST).

 Try using this code to generate the data:

 #lang racket
 (require json)

 (jsexpr-string
 (hash 'on #t
   'bri 170
   'ct 500))

 Let me know if you want me to stuff it into the http-sendrecv call.

 John


 

  (http-sendrecv
  192.168.1.95 /api/username/lights/1/state
  #:method 'PUT
  #:data
  (alist-form-urlencoded
   (list (cons 'bri 1)
 (cons 'ct 500)))
  #:headers
  '(Content-Type: application/x-www-form-urlencoded))
 
  However, instead of affecting the light, I just get the following on the 
  REPL:
 
  #HTTP/1.1 200 OK
  '(#Cache-Control: no-store, no-cache, must-revalidate, post-check=0, 
  pre-check=0
   #Pragma: no-cache
   #Expires: Mon, 1 Aug 2011 09:00:00 GMT
   #Connection: close
   #Access-Control-Max-Age: 3600
   #Access-Control-Allow-Origin: *
   #Access-Control-Allow-Credentials: true
   #Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE, HEAD
   #Access-Control-Allow-Headers: Content-Type
   #Content-type: application/json)
  #input-port:pipe
 
  I've also tried sending the message using:
 
  #:data
  (form-urlencoded-encode \bri\: 1)
 
  and changing the #:headers to '(Content-Type: application/json)
 
  Any thoughts?
 
  My best,
  Bruce
 
  On Wednesday, June 17, 2015 at 11:35:32 AM UTC-4, Alexis King wrote:
  You probably want to use the net/http-client library, specifically the 
  http-sendrecv function. I’m not 100% sure, but I’d guess that the 
  equivalent Racket code for your curl command would look something like 
  this.
 
  (require net/http-client
  net/uri-codec)
 
  (http-sendrecv
  192.168.1.20 /api/username/lights/8/state
  #:method 'PUT
  #:data
  (alist-form-urlencoded
   '((on #t)
 (bri 170)
 (ct 500)))
  #:headers
  '(Content-Type: application/x-www-form-urlencoded))
 
  See 
  http://docs.racket-lang.org/net/http-client.html#%28def._%28%28lib._net%2Fhttp-client..rkt%29._http-sendrecv%29%29
 
  On Jun 17, 2015, at 7:57 AM, Bruce wrote:
 
  Hello,
 
  I'm new to programming, so patience is appreciated. I'm writing a simple 
  program in Racket to control Phillip Hue Bulbs in a performance 
  environment. Phillips has a simple RESTful API and I'm looking for the 
  Racket commands or library to send the commands. Previously I've used 
  AppleScript to launch bash curl commands, like:
 
   curl -x PUT -d '{on:true,bri:170,ct:500}' 
  http://192.168.1.20/api/username/lights/8/state
 
  Is there an easy way to send a similar message in Racket?
 
  Thank you,
  Bruce
 
  --
  You received this message because you are subscribed to the Google Groups 
  Racket Users group.
  To unsubscribe from this group and stop receiving emails from it, send an 
  email to racket-users+unsubscr...@googlegroups.com.
  For more options, visit https://groups.google.com/d/optout.

 --
 You received this message because you are subscribed to the Google Groups 
 Racket Users group.
 To unsubscribe from this group and stop receiving emails from it, send an 
 email to racket-users+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
Racket Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to racket-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.