Fwd: Re: Octave Web GUI

[Tom Weichmann]

I do get both the form for input, and the output from octave, but appended to
the very end of the output I get the error.  It seems like Octave is tring to
either read or write somehting else, like a history file (although I am using
the -H option to avoid the writing of the history file), or something along
those lines.

As far as security goes, I must admit I am only learning about the full power
of octave.  It seems like the exec() function is the only function I really
need to worry about.  I was going to implement a filter to remove any exec()
functions from incomming m-files, but after trying to break security my self it
seems like I do not need to.  If from my gui I type :

exec('ls')

The perl script opens a process for octave, but when Octave executes the 
exec() function, the parent Octave process dies.  It never returns to
the httpd process, which never returnes anything to the browser.  The
browser just tells you "Still Loading" indefinately.

Next I tried the following:

exec('cp /etc/passwd /my/public/html/dir')

to see if the function was executed and just not returned to the browser.  No
copy was made telling me that the exec() process died before it completed its
assigned task.  I may be *totaly* wrong, but it seems like running Octave from
a httpd process may be inharenty secure!


Hello:

The directory in which the perl-octave-cgi script stores the output files
must be world-writable, I think. The "permission denied" may mean that the
directory is not world-writable as the process is normally run as user
"nobody". This is more likely the case.

If any of the perl-octave/cgi script does not have execute permission,
then the form may not display at all and the user will get error message
(in case of perl) or the output will not at all show up (in case octave
script is not executable).

Apart from all these things, you have to take care of the security aspects
of allowing an execution of any submitted m-file.

Vivek...

On Sat, 24 Jun 2000, Tom Weichmann wrote:

> Hello,
> 
> I am developing a cgi web based GUI to Octave using PERL.  Things are going
> great so far, and I plan on making the source public...of course.  It works
> like this.  There is a dialog box, where you input your m-file, then click on
> the button to submit.  The cgi PERL script opens and writes the m-file
> to octave.  I then re-direct stdout to a file, and save any gnuplot output to
> a file as well.  Then the PERL generates a the html for a web page which
> includes the text and graphical output from octave, and sends this to the
> browser.  I have accomplishes all of this, but no matter what I am doing in
> my m-file, I get an error at the very end of the text output.  The following
> is an example of a *very* simple m-file, and its output to the web.
> 
> input----------------
> a=[1:1:10]
> b=[10:-1:1]
> 
> output--------------
> 
> a =
> 
>    1   2   3   4   5   6   7   8   9  10
> 
> b =
> 
>   10   9   8   7   6   5   4   3   2   1
> 
> error: Permission denied



-----------------------------------------------------------------------
Octave is freely available under the terms of the GNU GPL.

Octave's home on the web:  http://www.che.wisc.edu/octave/octave.html
How to fund new projects:  http://www.che.wisc.edu/octave/funding.html
Subscription information:  http://www.che.wisc.edu/octave/archive.html
-----------------------------------------------------------------------
-------------------------------------------------------

-- 
Tom Weichamnn



-----------------------------------------------------------------------
Octave is freely available under the terms of the GNU GPL.

Octave's home on the web:  http://www.che.wisc.edu/octave/octave.html
How to fund new projects:  http://www.che.wisc.edu/octave/funding.html
Subscription information:  http://www.che.wisc.edu/octave/archive.html
-----------------------------------------------------------------------