[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Psyntax security hole prevents secure sandboxing in Guile

From: Noah Lavine
Subject: Re: Psyntax security hole prevents secure sandboxing in Guile
Date: Mon, 7 May 2012 07:58:05 -0400

That is an interesting problem. It would be nice to have sandboxing.

I'm writing to point out that there has been an attempt to make
"out-of-the-box" sandboxing work. The modules (ice-9 safe) and (ice-9
safe-r5rs) should be sandboxed environments, I think. (I encountered
them while looking for undocumented modules.) There's also the (ice-9
null) module, which gives an environment with only the basic syntax
and no procedures at all.


On Sun, May 6, 2012 at 2:17 PM, Mark H Weaver <address@hidden> wrote:
> Hello all,
> Every once in a while someone asks about secure sandboxing with Guile,
> and generally the response is that it should be fairly easy, by creating
> a module with carefully selected bindings, but there's nothing ready
> "out of the box".
> I just realized that psyntax has a security hole that prevents secure
> sandboxing, and wanted to post this fact before it was forgotten.
> The problem is that psyntax accepts syntax-objects in the input, and
> syntax-objects are simply vectors (or sexps containing vectors).
> Therefore, it is always possible to _forge_ syntax-objects that refer to
> arbitrary bindings in arbitrary modules, even if the usual bindings of
> '@' and '@@' are not available.
> In particular (although this is an internal implementation detail that
> you cannot rely upon!) in Guile 2.0 the following two expressions are
> treated equivalently:
>  (@@ (ice-9 popen) open-pipe*)
>  #(syntax-object open-pipe* ((top)) (hygiene ice-9 popen))
> I don't think we can plug this hole until 2.2.
>     Mark

reply via email to

[Prev in Thread] Current Thread [Next in Thread]