Comments (3)
Hey @kseistrup ! First of all, thanks for taking the time to check out my tool, I really appreciate that.
About the security issue: thanks a lot for the report, I double-checked and you are absolutely right - that's quite a surprise for me that the standard Golang net/http
server behaves like this. Anyway, it's my bad, so I apologize for that.
I'll work on the fix from now on: the simplest solution was to change
...
server := &http.Server{Addr: ":" + port, Handler: httpRouter}
go func() {
err := server.ListenAndServe()
...
to
...
server := &http.Server{Addr: "localhost:" + port, Handler: httpRouter}
go func() {
err := server.ListenAndServe()
...
but it breaks the notification feature - I'm looking into that now.
Updated: my issue with the restricted to the localhost
approach was due to some local OS issues, it works well - created a PR now.
from remindme.
I believe the issue should be patched now by adding a restriction to accept connection only from the localhost
.
If you still have time and inspiration, may I ask you to check this on your end, please? I don't have access to the Linux machine, only via VirtualBox, so not sure if that's a 100% accurate representation of the network state:
sudo netstat -anp | grep remindme
tcp 0 0 127.0.0.1:15555 0.0.0.0:* LISTEN 4475/remindme
from remindme.
Thanks, that's much better: the server is now listening on localhost only. πΈ
We should still be aware that this is βsafeβ only on a single user machine: The remindme
server can only be started once (because the port is hard-coded, something that should probably be changed because people may already be using port 15555), so that's good, but if somebody ssh's into a multiuser machine they will be able to add/edit/delete reminders that βbelongβ to the person who started remindme
.
A safe solution is to use a socket for client-server communication. The socket should be owned by the user and preferrably have permissions 0600 (at most 0660). The socket should live in the user's runtime directory: $XDG_RUNTIME_DIR
is a good choice, so the full path of the socket could be e.g. $XDG_RUNTIME_DIR/remindme.socket
or $XDG_RUNTIME_DIR/remindme-$UID.socket
.
If $XDG_RUNTIME_DIR
is unset, a directory with similar attributes should be chosen and used:
- The directory must be owned by the user, and
- they must be the only one having read and write access to it.
- Its Unix access mode must be 0700.
See e.g. https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html for the XDG Base Directory Specification.
Summary:
- Listening on localhost:15555 is much better that listening on a globally accessible IP address, however:
- The listening port should be user configurable (I will open a separate issue for this).
- Ideally, on platforms that support it, a socket should be used for client-server communication, and
- Ideally, the socket should be opened in
$XDG_RUNTIME_DIR
.
π
from remindme.
Related Issues (2)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from remindme.