Hi all, we detected a critical security issue in the PicoLisp HTTP GUI:
Per default, process-local temporary files (as maintained with the 'tmp' function) were implicitly 'allow'ed. This is OK for e.g. documents generated by the application to be downloaded by the user's browser. But in principle this allows also access to other temporary files not intended to be seen by the user, and - worst of all - execute such files if they have the ".l" extension. As a result, if a malicious user manages to upload an ".l" file to a running session, he can execute it in that session's environment. This is not trivial, as he must know the port, session ID, and process ID of that session, but not impossible with enough knowledge and a finite number of trials. The issue is fixed with version 23.7.17. Temporary files now must be explicitly 'allow'ed to be accessible via HTTP. Please download and install the rolling release from https://software-lab.de/pil21.tgz For most applications no change is needed, because the document functions in the PicoLisp runtime libraries take care to 'allow' what they generate. If your application creates other 'tmp' files which must be accessible in the GUI, please change all relevant (tmp ..) calls to (allow (tmp ..)) Sorry for the trouble! ☺/ A!ex -- UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe
