[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Octave restricted mode?
From: |
Dupuis |
Subject: |
Re: Octave restricted mode? |
Date: |
Tue, 16 Mar 2010 00:55:43 -0700 (PDT) |
Jaroslav Hajek-2 wrote:
>
> hi all,
>
> for use of Octave in web applications (which I'm myself interested
> in), I started to think about allowing Octave to run in a "secure"
> mode.
>
>
Hello Jaroslav,
great idea, but a lot of pittfalls to avoid. You should consider EVERYTHING
coming from the user as insecure. Think about sql injection, or, in PERL,
the logic:
- ask the user for a filename
- try to fstat() it
- if it exists, fopen it; else use system()
So, a hacker can enter a filename of `rm -rf /`; you see the problem. So, in
addition to chroot(), I also suggest to strictly sanitize everything coming
from the user; remove special and escaped characters, and so on.
Now, a single valid octave statement may hung a machine; what about
'a=rnd(1e8, 1e8)' ?
Regards
Pascal
--
View this message in context:
http://old.nabble.com/Octave-restricted-mode--tp27902771p27914412.html
Sent from the Octave - Maintainers mailing list archive at Nabble.com.