I see Michael Creel's email that he also had trouble after a plot command. so my test of chrome and epiphany were after the crash.
Doug Stewart
Date: Mon, 15 Mar 2010 08:30:34 -0400 Subject: Re: Sharing scripts From: address@hidden To: address@hidden CC: address@hidden
I also tried mathcloud. You say the firefox does not work- so I tried
firefox epiphany chrome
and all seemed to have problems.
What browser should I use from Ubuntu????
From Firefox I did get logged in and was able to download a script (q2.m)
I then ran it and saw the correct numbers showed up on the screen, but the plot did not show.
>> Welcome address@hidden! You are now logged in. >>
>> a=6; b=7;c=a*b c = 42
>> q2 l = 60 phi = 2.0944 th1 = 0.52360 th2 = 1.0472
>> plot(xx,w);print -dpng plot.png >> plot.png;print -dpng plot.png There was an error evaluating your command : plot (y)
plot (x, y, ...) plot (x, y, fmt, ...) plot (x, y, property, value, ...) >> q2 >> Bye! You have now logged out.
But when I tried to see the print file (plot.png) it thought I was trying to plot again!!
When I ran q2 the second time it did not display anything.
Doug Stewart
On Mon, Mar 15, 2010 at 7:26 AM, Jaroslav Hajek <address@hidden> wrote:
On Mon, Mar 15, 2010 at 11:37 AM, MathCloud < address@hidden> wrote:
>
> Hi Jaroslav,
>
> Now I have restarted MathCloud.se again, thanks for the input.
>
> I have filtered out feval and eval, which is quite sad.
Yes. Still it's not enough, unfortunately. I was just able to do:
s = str2func (["sys", "tem"]);
[st, out] = s("sysinfo");
to get complete information about your system. I could have also used
this to run malicious code (of course limited by account privileges).
At least the following functions pose a potential security risk as well:
dir
tar, untar, zip, unzip, gzip, gunzip
path, addpath, genpath, rmpath, pathdef, savepath
dlmread dlmwrite
save (?)
gnuplot_binary, info_program, makeinfo_program
maybe more...
> They are an
> important part of Octave so I will try to solve this in a more sofisticated
> way.
>
Maybe you are aware that you can override built-in functions?
You can place system.m, popen.m etc somewhere and then add this to
path() at Octave's startup (.octaverc).
In this manner, you need not forbid eval and feval because they can't
influence the name lookup.
The problematic functions are "builtin" and "dispatch" which you
should either forbid or override to filter out forbidden functions
(because these two can alter the function lookup order).
> I will watch the progress with the restricted version of Octave with great
> interest.
>
Yeah, I'm afraid you can't get much of a safety by simply filtering
the input, there's just too much options for workarounds. I believe a
solution from inside Octave will be much more safe and robust.
|