Yesod 1.6 was released in February of this year. This new version changes how subsites are implemented, which breaks most Yesod web applications. I did not find many good resources describing how to migrate web applications to 1.6, so I am documenting the steps I took to fix my website. It was not immediately obvious what changes needed to be made, so hopefully this is helpful for others.

My website was originally running on Stackage LTS 9.2, so I upgraded to LTS 12.2 by updating my stack.yaml file:

resolver: lts-12.2

Continue reading...

mime-mail is a Haskell library used to compose and render emails. It is typically used in server-side software to send automated emails or construct emails from user supplied inputs.

While working on a website where I was constructing emails with POST data supplied by the user, I discovered that the mime-mail package was vulnerable to a header injection vulnerability. When browsing mime-mail's source code, I noticed that email headers were not being sanitized before being rendered. This meant that an attacker could insert additional email headers by injecting CLRF (\r\n) characters between the malicious headers. As a result, attackers could control parameters including the From, To, Reply-To, CC, BCC, and Subject fields. Since the emails are sent from the website, attackers could use this vulnerability to send spam, phish users for credentials, leak private information, or deface the site.

We can demonstrate the vulnerability with ghci, Haskell's REPL:

Continue reading...

Yesod, a web framework for Haskell, provides convenient functionality that makes it simple to render and parse web forms. Unfortunately, it is not as elegant when it comes to implementing a POST handler that can process multiple web forms. This blog post presents one approach that simplifies the processing of multiple web forms in a single handler.

The first step to handling multiple POST forms is to use the identifyForm function. This function takes a string that uniquely identifies a given form and embeds a hidden field in the form (which is given as the second argument). When parsing a request’s POST data, if the hidden field’s identifier does not match the form’s unique identifier, parsing will return a FormMissing. This allows the request handler to parse other forms until one parses successfully. Here is an example of how to use identifyForm:

-- Data type for formA. 
data FormDataA = FormDataA Text

Continue reading...