Re: Octave restricted mode?

octave-maintainers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Octave restricted mode?

From:	Dupuis
Subject:	Re: Octave restricted mode?
Date:	Tue, 16 Mar 2010 00:55:43 -0700 (PDT)

Jaroslav Hajek-2 wrote:
> 
> hi all,
> 
> for use of Octave in web applications (which I'm myself interested
> in), I started to think about allowing Octave to run in a "secure"
> mode.
> 
> 
Hello Jaroslav,

great idea, but a lot of pittfalls to avoid. You should consider EVERYTHING
coming from the user as insecure. Think about sql injection, or, in PERL,
the logic:
- ask the user for a filename
- try to fstat() it
- if it exists, fopen it; else use system()

So, a hacker can enter a filename of `rm -rf /`; you see the problem. So, in
addition to chroot(), I also suggest to strictly sanitize everything coming
from the user; remove special and escaped characters, and so on.

Now, a single valid octave statement may hung a machine; what about
'a=rnd(1e8, 1e8)' ?

Regards

Pascal
-- 
View this message in context: 
http://old.nabble.com/Octave-restricted-mode--tp27902771p27914412.html
Sent from the Octave - Maintainers mailing list archive at Nabble.com.

[Prev in Thread]

Current Thread

[Next in Thread]

Octave restricted mode?, Jaroslav Hajek, 2010/03/15
- Octave restricted mode?, John W. Eaton, 2010/03/15
  - Re: Octave restricted mode?, Jaroslav Hajek, 2010/03/16
- Re: Octave restricted mode?, Dupuis <=

Prev by Date: Re: How to merge and push?
Next by Date: Re: safer way to use gnulib
Previous by thread: Re: Octave restricted mode?
Next by thread: Re: safer way to use gnulib
Index(es):
- Date
- Thread