[Racket announcement] Racket Web Server Security Vulnerability
We recently discovered a serious security vulnerability in the Racket web server, which can lead to unintended disclosure of files on the machine running the web server. This vulnerability is fixed in Racket version 6.4, just released, and we encourage people to upgrade to that version. The vulnerability affects web servers that serve static files using the `#:extra-static-files` option, including the default value of this option. If you do not use the Racket web serve to serve static files, or you do so via a mechanism that does not use the `make-url->path` function, then you are likely not vulnerable. Affected web serves will allow specially-crafted URLs to access files outside of the specified paths, potentially exposing any file that the web server process is able to read. If you cannot immediately upgrade to version 6.4, we have provided a package catalog with updated versions of the "web-server-lib" package for versions of Racket back to 6.0. That catalog is located at http://download.racket-lang.org/patches/web-server-1/ To use it to upgrade your Racket installation, add it as a catalog using `raco pkg config`. To make this process easier, you can download the Racket script available at https://gist.github.com/samth/c81e1e2fabc744759970. Then run: $ racket add-catalog.rkt $ raco pkg update -i web-server-lib On some systems, this may need to be run with administrator or super-user privileges, if Racket was installed with those privileges. If you need advice on updating Racket installations older than version 6.0, please let us know and we will provide them. To test that your Racket installation is fixed, you can run the program here: https://gist.github.com/samth/740cc39eb6c0d9bd7bc3 Thanks to Rob Henderson for the discovery of this issue. Sam, for the Racket team Racket Announcements list: http://lists.racket-lang.org/announce
[Racket announcement] Racket v6.4
Racket version 6.4 is now available from http://racket-lang.org/ - We fixed a security vulnerability in the web server. The existing web server is vulnerable to a navigation attack if it is also enabled to serve files statically; that is, any file readable by the web server is accessible remotely. For more information see http://blog.racket-lang.org/2016/02/racket-web-server-security-vulnerability.html - DrRacket's scrolling is faster. - Incremental garbage-collection mode can eliminate long pauses in a program. For example, incremental mode is useful for avoiding pauses in games and animations. Programs must specifically request incremental mode with `(collect-garbage 'incremental)`, but libraries such as `2htdp/universe` include the request as part of the library's implementation. - The default package catalog is an HTTPS address instead of HTTP, and package operations properly validate server certificates when using HTTPS. - Documentation may define their own categories for the manual top- level page by using strings, rather than only symbols that name pre-defined categories. - The Racket cheat sheet is included in the main distribution. - DrRacket is available in Bulgarian, thanks to Alexander Shopov. - The contract Typed Racket generates for the `Any` type is more permissive, allowing more typed/untyped programs to work without contract errors. - Redex supports binding specifications; describe which variables bind in which expressions and your metafunctions and reduction relations automatically become scope-sensitive. Thanks to Paul Stansifer for this improvement. - All `pict` functions accept `pict-convertible`s. This allows for transparent interoperability between `pict` and libraries like `2htdp/image`. - The `raco profile` and `raco contract-profile` commands provide easy access to profiling tools, without requiring program modifications. Feedback Welcome Racket Announcements list: http://lists.racket-lang.org/announce