Re: Guile security vulnerability w/ listening on localhost + port (with fix)

2016-10-16 Thread Lizzie Dixon
Hi Christopher, On 10/16, Christopher Allan Webber wrote: > So, I guess this will work from a public site as well? Yes! The HTML I mentioned in my post is available here: (Though note that it won't work

Re: Guile security vulnerability w/ listening on localhost + port (with fix)

2016-10-16 Thread Arne Babenhauserheide
Christopher Allan Webber writes: > browsers do and don't allow, but I'm stunned that a browser will let a > request from some http://foo.example/ to http://localhost:37146/, even > for just a GET. It seems like there are all sorts of daemons you can > exploit that way. This can be pretty useful

Re: Guile security vulnerability w/ listening on localhost + port (with fix)

2016-10-16 Thread Christopher Allan Webber
Lizzie Dixon writes: > Hi, > > On 10/11, Christopher Allan Webber wrote: >> The default in Guile has been to expose a port over localhost to which >> code may be passed. The assumption for this is that only a local user >> may write to localhost, so it should be safe. Unfortunately, users >>

Re: Guile security vulnerability w/ listening on localhost + port (with fix)

2016-10-15 Thread Alex Kost
Lizzie Dixon (2016-10-14 14:55 -0700) wrote: > Hi, > > On 10/11, Christopher Allan Webber wrote: >> The default in Guile has been to expose a port over localhost to which >> code may be passed. The assumption for this is that only a local user >> may write to localhost, so it should be safe.

Re: Guile security vulnerability w/ listening on localhost + port (with fix)

2016-10-14 Thread Lizzie Dixon
Hi, On 10/11, Christopher Allan Webber wrote: > The default in Guile has been to expose a port over localhost to which > code may be passed. The assumption for this is that only a local user > may write to localhost, so it should be safe. Unfortunately, users > simultaneously developing Guile

Re: Guile security vulnerability w/ listening on localhost + port (with fix)

2016-10-12 Thread Thompson, David
On Wed, Oct 12, 2016 at 11:49 AM, Nala Ginrut wrote: > But maybe we should provide both just like what php-fpm does? And let users > choose which one to use, localhost:port or unix socket. This is what Guile already does. - Dave

Re: Guile security vulnerability w/ listening on localhost + port (with fix)

2016-10-12 Thread Nala Ginrut
On Tue, 2016-10-11 at 09:01 -0500, Christopher Allan Webber wrote: > The Guile team has just pushed out a new commit on the Guile stable-2.0 > branch addressing a security issue for Guile.  There will be a release > shortly as well.  The commit is > 08c021916dbd3a235a9f9cc33df4c418c0724e03, or for