Hi All, there's a new version of Gorilla REPL, version 0.3.2, available on clojars that contains an important security fix. I would recommend upgrading immediately, if possible. Many thanks to @silasdavis for initially reporting this issue, and for @foogoof for highlighting that it was more important than I had initially thought.
The problem was that Gorilla, by default, listened on all available IPs meaning that if your firewall was open on the Gorilla port then untrusted users could execute commands in the clojure REPL (essentially giving them the level of access of the user that ran Gorilla). I had not given this the highest priority to fix, as a sane firewall configuration would prevent this, and rather saw this as a matter of providing safer defaults. However, I recently learned that both Windows and MacOS don't have a sane firewall configuration :eek:. Specifically, if you've ever given incoming access permission to a java program (say IntelliJ, some Oracle abomination that you have to use to buy things at work, a bit torrent client etc etc) then all java processes, including the Gorilla server, will open a hole in the firewall by default :-( A quick sampling of machines around the lab suggested that this is pretty likely to be the case. The fix, contributed by @foogoof, is to only listen on the loopback address by default. You can still configure Gorilla to listen to other addresses if you want to use it in a server configuration. My sincere apologies to anyone who's been put at risk by this, both for writing the half-assed code in the first place, and then not appreciating the severity of the issue when reported! On a brighter note, this release also has improved bracket-match-highlighting which should make it more accessible to those with colour vision deficiency. Jony -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
