mmm​.s‑ol.nu

pleasant stuff with interfaces
an error occured while rendering this view:

Today I implemented updating/saving content in the server, and bridged the feature to the client. In the inspector there is now a save changes button that (attempts to) save the content on the server’s filesystem [4b8d9be].

demonstration of editing and persistantly saving facet

Originally I wanted to create a sandbox fileder that was to be edited by any one online [d9eafa2]. I restricted editing to only fileders underneath /sandbox, but then upon publishing quickly realized that this left open a major security vulnerability, since content can be evaluated on server or client: if a client were to create a facet exploit: text/lua -> text/plain with the following content in the root:

pass = io.open('/etc/passwd', 'r')
return pass:read("*all")

…and then request that facet as converted to text/plain (GET /exploit: text/plain), then that Lua code would be executed on the server, and return the confidential passwd file on the server. This basically meant handing anyone online full unconditionaly access to my server (or at least the VM running the website, and potentially options to escalate from there).

As a result I had to choose to either disable public editing, or disable server-side code execution. Because server-side execution is a major feature of mmmfs, I settled for the following compromise [1e3b0a1]:

  • when developing and running locally, editing and code execution are both enabled in ‘unsafe mode’
  • on https://ba.s-ol.nu, editing is disabled but code execution is possible
  • on https://sandbox.s-ol.nu, editing is enabled but code server-side code execution is disabled

The Sandbox can now be found at the following address, at least until the thesis project is concluded:

sandbox.s-ol.nu

Currently it is only possible to edit existing facets, but creation and deletion of facets and fileders should be implemented soon.