mmm / 4f5c88b
add ba_log 2019-10-29 s-ol 2 years ago
2 changed file(s) with 38 addition(s) and 0 deletion(s). Raw diff Collapse all Expand all
0 Today i implemented updating/saving content in the server, and bridged the feature to the client.
1 In the inspector there is now a `save changes` button that (attempts to) save the content on
2 the server's filesystem \[[`4b8d9be`][4b8d9be]\].
4 <mmm-embed path="video" nolink>demonstration of editing and persistantly saving facet</mmm-embed>
6 Originally I wanted to create a `sandbox` fileder that was to be edited by any one online \[[`d9eafa2`][d9eafa2]\].
7 I restricted editing to only fileders underneath `/sandbox`, but then upon publishing quickly realized
8 that this left open a major security vulnerability, since content can be evaluated on server or client:
9 if a client were to create a facet `exploit: text/lua -> text/plain` with the following content in the root:
11 ```lua
12 pass ='/etc/passwd', 'r')
13 return pass:read("*all")
14 ```
16 ...and then request that facet as converted to `text/plain` (`GET /exploit: text/plain`),
17 then that Lua code would be executed on the server, and return the confidential `passwd` file on the server.
18 This basically meant handing anyone online full unconditionaly access to my server
19 (or at least the VM running the website, and potentially options to escalate from there).
21 As a result I had to choose to either disable public editing, or disable server-side code execution.
22 Because server-side execution is a major feature of mmmfs, I settled for the following compromise \[[`1e3b0a1`][1e3b0a1]\]:
24 - when developing and running locally, editing and code execution are both enabled in 'unsafe mode'
25 - on, editing is disabled but code execution is possible
26 - on, editing is enabled but code server-side code execution is disabled
28 The Sandbox can now be found at the following address, at least until the thesis project is concluded:
30 # [``](
32 Currently it is only possible to edit existing facets,
33 but creation and deletion of facets and fileders should be implemented soon.
35 [4b8d9be]:
36 [d9eafa2]:
37 [1e3b0a1]: