-- Leo's gemini proxy
-- Connecting to ainent.xyz:1965...
-- Connected
-- Sending request
-- Meta line: 20 text/gemini; charset=utf-8; lang=en
I have mitigated smolver's security defect mentioned about a week ago.
If you are running smolver, please update to v1.2.1 (or later, if you find this in the future) and follow the instructions in the 'For smolver Admins' section as soon as possible.
Mitigation steps taken:
Forbid serving of .smol.json files
A secondary check has been added that will forbid serving of the main config.json. It should not have been possible for this to be served previously, but this is just an extra precaution.
Forbid serving of anything in smolver's internal anonymous authentications directories (only applicable if you have anonymous authentication configured)
For the other vulnerability mentioned in the PSA, I am leaving that up to the individual smolver system administrator not to have anything sensitive within a (sub)directory of one whitelisted via config.json's `staticContent.allowedFileDownloadPaths`.
The project's README has been extended to include:
>## Security Considerations
>* With a few exceptions, anything in a directory or subdirectory of anything in `staticContent.allowedFileDownloadPaths` will be servable to clients.
>* That means that if your configuration of whitelisted authentication directories and whitelisted static file directories overlaps, then the whitelisted authentication directories and all of their contents (`.pem` files) will be served if directly requested.
>* Do not put anything in `staticContent.allowedFileDownloadPaths` that you do not want accessible; logs, SSL certificates, whitelisted client certificates, etc.
I have also added this documentation comment to the blacklist checking code:
>/// This struct encapsulates the rules for which files are blacklisted from being served.
>/// The only URIs that are checked are those that are known at compile time to be both
>/// sensitive and by design contained in a directory that also contains servable content.
>///
>/// Log and TLS files were also considered for blacklisting, but, in the interest of simplicity,
>/// instead that is left up to you as the server admin; if you don't want those served, don't
>/// put them under the ``staticContent.allowedFileDownloadPaths`` object in ``config.json``.
>///
>/// - Attention: Blacklisted files include:
>///
>/// * Configuration files
>/// * ``.smol.json``
>/// * ``config.json``
>/// * Anything related to anonymous authentication or authorization
>/// * ``.anonymous-authentications/`` [used internally]
-- Response ended
-- Page fetched on Tue May 21 21:53:56 2024