[Racket announcement] Racket Web Server Security Vulnerability

From: Sam Tobin-Hochstadt (samth at cs.indiana.edu)
Date: Mon Feb 8 11:17:45 EST 2016

We recently discovered a serious security vulnerability in the Racket
web server, which can lead to unintended disclosure of files on the
machine running the web server. This vulnerability is fixed in Racket
version 6.4, just released, and we encourage people to upgrade to that
version.

The vulnerability affects web servers that serve static files using
the `#:extra-static-files` option, including the default value of this
option. If you do not use the Racket web serve to serve static files,
or you do so via a mechanism that does not use the `make-url->path`
function, then you are likely not vulnerable. Affected web serves will
allow specially-crafted URLs to access files outside of the specified
paths, potentially exposing any file that the web server process is
able to read.

If you cannot immediately upgrade to version 6.4, we have provided a
package catalog with updated versions of the "web-server-lib" package
for versions of Racket back to 6.0. That catalog is located at

  http://download.racket-lang.org/patches/web-server-1/

To use it to upgrade your Racket installation, add it as a catalog
using `raco pkg config`. To make this process easier, you can download
the Racket script available at
https://gist.github.com/samth/c81e1e2fabc744759970. Then run:

  $ racket add-catalog.rkt
  $ raco pkg update -i web-server-lib

On some systems, this may need to be run with administrator or
super-user privileges, if Racket was installed with those privileges.

If you need advice on updating Racket installations older than version
6.0, please let us know and we will provide them.

To test that your Racket installation is fixed, you can run the
program here: https://gist.github.com/samth/740cc39eb6c0d9bd7bc3

Thanks to Rob Henderson for the discovery of this issue.

Sam, for the Racket team

Posted on the announce mailing list.