-
Notifications
You must be signed in to change notification settings - Fork 269
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
application:set_env/3 in yaws:get_app_dir/0 is bad #382
Comments
Another more threatening issue is delivering those errors to the page, which is a security nightmare. I think a much better and safer option is to let it crash in this case. Thoughts? |
I'm still trying to figure out exactly how you're trying to upgrade, since what you're describing doesn't seem safe. There are modules loaded and running, and then you're just changing the load path? What's forcing anything to load from the new path? Clearly there is state still pointing to old paths, as indicated by the error message. |
I use a combination of Meanwhile yaws is caching a stale app_dir that doesn't get updated when I restart the Yaws application.
|
Is it better to replace get_app_dir/0 with |
If you really restarted the application, then I've never before heard of anyone using the various Otherwise, perhaps since you're already doing a custom upgrade, you just need to add a call to |
I think if you restart the Yaws application without bring down the VM, the envvars are all kept intact unless the application is unloaded with I had a workaround in place but I didn't find The reason I open this report is to provoke some rethink on this to see if it can be cleaned up or improved upon. What do you think of the security issue I raised in the second comment. I think a lot of Yaws early decisions were prioritised for developers which have become vulnerabilities. At one point (2017) I had Yaws happily put my DB password on the page. The viewers are 99% of the time not the developers so putting errors on page seems to make little sense besides handing critical info to attackers. |
Yes, I agree the security issue is a concern. I might be wrong but I'm guessing finding and plugging all occurrences of such behavior will not be a simple task. As usual, the best way to get an issue resolved is to submit a small test case or multiple test cases that show the problem(s), as it can often be difficult for us to reproduce problems from textual descriptions. |
It is hard to find all of them in any software projects. The following two can be a good start and should help Yaws' security a bit. Put the following code in a .yaws file and view the page in a browser:
Case 1 crashes and case 2 deliberately introduces a syntax error. The error texts should never appear on page, at the least not when debug is off. Personally I think case 2 should be treated at least as severe as the crash case, i.e. if a code block don't even compile, let the whole page crash. The current behaviour of partial success is painfully bad. |
Looking at this issue again. Note that the "Customizations" section of the Yaws tex documentation explains:
With Yaws server configuration, it's already possible to deal with some of the problems you mention by providing a custom error handling module, specifically for the To address this issue, I plan to
|
That’s a good plan. Secure by default is the only way actually. Secure is often backwards incompatible with insecure. |
Just upgraded Yaws to 2.0.7 on a live node by changing the code path without bring down the node and then I am immediately seeing a lot of these:
After some poking around I discovered it was the fault of
yaws:get_app_dir/0
, specifically this lineI grepped the yaws source and see
yaws:get_app_dir/0
only called rarely. So the above line does little and can cause harm.The text was updated successfully, but these errors were encountered: