Some of you have probably already seen that Jester v0.3.0 was released recently. For those of you that haven't, be sure to check out the new features here.
More important than the new features is the security vulnerability that was fixed in this release. @federico3, who reported this issue to me, created a CVE ID for this issue: CVE-2018-13034. I quote the changelog here with the details of this security vulnerability:
This vulnerability makes it possible for an attacker to access files outside your designated static directory. This can be done by requesting URLs such as https://localhost:5000/../webapp.nim. An attacker could potentially access anything on your filesystem using this method, as long as the running application had the necessary permissions to read the file.
If you are running a Jester application then I strongly suggest you upgrade to either v0.3.0 or v0.2.1. Version 0.3.0 contains many new features and depends on Nim devel, so you may wish to upgrade to v0.2.1 instead as it is just Jester 0.2.0 with the backported security fix so upgrading to it should be painless. If you are running Jester behind a reverse proxy such as nginx or CloudFlare then you are not vulnerable, but I would still suggest you take the time to upgrade Jester.
Apologies for the inconvenience and big thanks to @federico3 for sharing this vulnerability with me responsibly :)
Let me know if you have any questions.
I see that new Jester uses httpbeast under the hood. It is great to hear that httpbeast is now ready for common usage!
Can I ask you what kind of compatibility - if any - is there with the stdlib server? I would like to try to port Rosencrantz as well, and test how well it works
Can I ask you what kind of compatibility - if any - is there with the stdlib server? I would like to try to port Rosencrantz as well, and test how well it works
It's a little bit different because it takes control of the event loop, whereas asynchttpserver integrates with asyncdispatch. HttpBeast actually calls asyncdispatch's poll itself.
Another difference is that the Request object doesn't store any of the underlying fields such as code and body. There are procedures which retrieve this from a data buffer. You can ignore this, retrieve all the fields for each request and put them in your own Request object, but doing so will cause a slowdown.
Btw this forum has been running on httpbeast for many weeks now :)