by protozen » Sat Nov 18, 2017 7:39 pm
Actually that doesn't work, but it's a good way to redefine methods to implement a form of permissions. What I mean is that when you run newlisp as a process with -http as in;
newlisp -http -d 8080 src.lsp
and in other newlisp process (write-file "http://localhost:8080/blah.txt" "write test") ... you'll find blah.txt with "write test" contents in the cwd of "newlisp -http -d 8080 src.lsp" .
I know we're not really suppose to use it as production, but for simple sites, I would like to use the embedded server, but the above issues allows people to use file functions to overwrite pages etc... Files can be made write protected, but this is a small band-aid and doesn't really solve other issues. Is there a way to prevent the remote file processing?
I also see external actors trying to use it as an http proxy, as this is how it shows up in nmap. I've not looked into the implementation or security issues, just looking for quick and simple site publishing.