[rauhl]

Pretty neat! I see that you’re using Hunchentoot — are you concerned that it interns HTTP header names in the KEYWORD package? It means that a malicious client can use up all your RAM by submitting requests with random header names.

[susam]

Thank you for your comment. This is a great point! I had not considered this earlier but after looking at https://github.com/edicl/hunchentoot/blob/master/request.lis... it is clear that this could potentially lead to denial of service.

I have now updated the Nginx configuration to block arbitrary headers coming from the remote client and explicitly pass only a limited set of headers to Hunchentoot. So now I have something like this in the Nginx reverse proxy configuration:

  proxy_pass_request_headers off;
  proxy_set_header Accept $http_accept;
  proxy_set_header Content-Length $http_content_length;
  proxy_set_header Content-Type $http_content_type;
  proxy_set_header If-Modified-Since $http_if_modified_since;
  proxy_set_header Referer $http_referer;
  proxy_set_header User-Agent $http_user_agent;
  proxy_set_header X-Forwarded-For $remote_addr;

I will push this configuration to the GitHub repository too sometime this weekend.

[susam]

Here's an update. The Nginx reverse proxy configuration update to work around the memory leakage issue in Hunchentoot has now been pushed to the GitHub repository of MathB.in too.

Commit: https://github.com/susam/mathb/commit/0dcedc0

Nginx configuration: https://github.com/susam/mathb/blob/main/etc/nginx/https.mat...

[nerdponx]

This is a pretty subtle security "gotcha" for any program that wants to be clever and intern user-provided inputs as keywords. Good to know!

[kazinator]

A simple fix that would be to intern all valid header names into the keyword package on startup, and then when processing a request, use FIND-SYMBOL against the keyword package rather than INTERN. If that fails, just drop that header.

[vindarel]

I'd be happy to see a discussion on the issue: https://github.com/edicl/hunchentoot/issues/24