On Mon, Mar 15, 2010 at 11:37 AM, MathCloud <
address@hidden> wrote:
>
> Hi Jaroslav,
>
> Now I have restarted MathCloud.se again, thanks for the input.
>
> I have filtered out feval and eval, which is quite sad.
Yes. Still it's not enough, unfortunately. I was just able to do:
s = str2func (["sys", "tem"]);
[st, out] = s("sysinfo");
to get complete information about your system. I could have also used
this to run malicious code (of course limited by account privileges).
At least the following functions pose a potential security risk as well:
dir
tar, untar, zip, unzip, gzip, gunzip
path, addpath, genpath, rmpath, pathdef, savepath
dlmread dlmwrite
save (?)
gnuplot_binary, info_program, makeinfo_program
maybe more...
> They are an
> important part of Octave so I will try to solve this in a more sofisticated
> way.
>
Maybe you are aware that you can override built-in functions?
You can place system.m, popen.m etc somewhere and then add this to
path() at Octave's startup (.octaverc).
In this manner, you need not forbid eval and feval because they can't
influence the name lookup.
The problematic functions are "builtin" and "dispatch" which you
should either forbid or override to filter out forbidden functions
(because these two can alter the function lookup order).
> I will watch the progress with the restricted version of Octave with great
> interest.
>
Yeah, I'm afraid you can't get much of a safety by simply filtering
the input, there's just too much options for workarounds. I believe a
solution from inside Octave will be much more safe and robust.