[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Sharing scripts
From: |
Jaroslav Hajek |
Subject: |
Re: Sharing scripts |
Date: |
Mon, 15 Mar 2010 12:26:57 +0100 |
On Mon, Mar 15, 2010 at 11:37 AM, MathCloud <address@hidden> wrote:
>
> Hi Jaroslav,
>
> Now I have restarted MathCloud.se again, thanks for the input.
>
> I have filtered out feval and eval, which is quite sad.
Yes. Still it's not enough, unfortunately. I was just able to do:
s = str2func (["sys", "tem"]);
[st, out] = s("sysinfo");
to get complete information about your system. I could have also used
this to run malicious code (of course limited by account privileges).
At least the following functions pose a potential security risk as well:
dir
tar, untar, zip, unzip, gzip, gunzip
path, addpath, genpath, rmpath, pathdef, savepath
dlmread dlmwrite
save (?)
gnuplot_binary, info_program, makeinfo_program
maybe more...
> They are an
> important part of Octave so I will try to solve this in a more sofisticated
> way.
>
Maybe you are aware that you can override built-in functions?
You can place system.m, popen.m etc somewhere and then add this to
path() at Octave's startup (.octaverc).
In this manner, you need not forbid eval and feval because they can't
influence the name lookup.
The problematic functions are "builtin" and "dispatch" which you
should either forbid or override to filter out forbidden functions
(because these two can alter the function lookup order).
> I will watch the progress with the restricted version of Octave with great
> interest.
>
Yeah, I'm afraid you can't get much of a safety by simply filtering
the input, there's just too much options for workarounds. I believe a
solution from inside Octave will be much more safe and robust.
--
RNDr. Jaroslav Hajek, PhD
computing expert & GNU Octave developer
Aeronautical Research and Test Institute (VZLU)
Prague, Czech Republic
url: www.highegg.matfyz.cz
- Re: Sharing scripts, (continued)
- Re: Sharing scripts, Søren Hauberg, 2010/03/13
- Re: Sharing scripts, MathCloud, 2010/03/14
- Re: Sharing scripts, Jaroslav Hajek, 2010/03/15
- Re: Sharing scripts, MathCloud, 2010/03/15
- Re: Sharing scripts, Jaroslav Hajek, 2010/03/15
- Re: Sharing scripts, MathCloud, 2010/03/15
- Re: Sharing scripts,
Jaroslav Hajek <=
- Re: Sharing scripts, Doug Stewart, 2010/03/15
- RE: Sharing scripts, dastew, 2010/03/15
- RE: Sharing scripts, MathCloud, 2010/03/15
- Re: Sharing scripts, Sergei Steshenko, 2010/03/15
- Re: Sharing scripts, Francesco Potortì, 2010/03/15
- Re: Sharing scripts, John W. Eaton, 2010/03/15
- Re: Sharing scripts, Søren Hauberg, 2010/03/19
- Re: Sharing scripts, Sergei Steshenko, 2010/03/20
- Re: Sharing scripts, Søren Hauberg, 2010/03/20
- Re: Sharing scripts, Doug Stewart, 2010/03/20