08 Feb 2016

Racket Web Server Security Vulnerability

posted by Sam Tobin-Hochstadt

We recently discovered a serious security vulnerability in the Racket web server, which can lead to unintended disclosure of files on the machine running the web server. This vulnerability is fixed in Racket version 6.4, just released, and we encourage people to upgrade to that version.

The vulnerability affects web servers that serve static files using the #:extra-files-paths option, including the default value of this option. If you do not use the Racket web serve to serve static files, or you do so via a mechanism that does not use the make-url->path function, then you are likely not vulnerable. Affected web serves will allow specially-crafted URLs to access files outside of the specified paths, potentially exposing any file that the web server process is able to read.

If you cannot immediately upgrade to version 6.4, we have provided a package catalog with updated versions of the “web-server-lib” package for versions of Racket back to 6.0. That catalog is located at

http://download.racket-lang.org/patches/web-server–1/

To use it to upgrade your Racket installation, add it as a catalog using raco pkg config. To make this process easier, you can download the Racket script available here. Then run:

$ racket add-catalog.rkt
$ raco pkg update -i web-server-lib

If you need advice on updating Racket installations older than version 6.0, please let us know and we will provide them.

To test that your Racket installation is fixed, you can run the program here. It will print whether your installation is out of date.

Made with Frog, a static-blog generator written in Racket.
Source code for this blog.