Today I implemented updating/saving content in the server, and bridged the feature to the client.
In the inspector there is now a
save changes button that (attempts to) save the content on
the server’s filesystem [
Originally I wanted to create a
sandbox fileder that was to be edited by any one online [
I restricted editing to only fileders underneath
/sandbox, but then upon publishing quickly realized
that this left open a major security vulnerability, since content can be evaluated on server or client:
if a client were to create a facet
exploit: text/lua -> text/plain with the following content in the root:
pass = io.open('/etc/passwd', 'r')
…and then request that facet as converted to
GET /exploit: text/plain),
then that Lua code would be executed on the server, and return the confidential
passwd file on the server.
This basically meant handing anyone online full unconditionaly access to my server
(or at least the VM running the website, and potentially options to escalate from there).
As a result I had to choose to either disable public editing, or disable server-side code execution.
Because server-side execution is a major feature of mmmfs, I settled for the following compromise [
- when developing and running locally, editing and code execution are both enabled in ‘unsafe mode’
- on https://ba.s-ol.nu, editing is disabled but code execution is possible
- on https://sandbox.s-ol.nu, editing is enabled but code server-side code execution is disabled
The Sandbox can now be found at the following address, at least until the thesis project is concluded:
Currently it is only possible to edit existing facets, but creation and deletion of facets and fileders should be implemented soon.