[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Texmacs-dev] Safe modules for TeXmacs

From: Giovanni Piredda
Subject: Re: [Texmacs-dev] Safe modules for TeXmacs
Date: Wed, 13 May 2020 01:17:06 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0

Since I emailed about the problem, let me email about the solution too.

The creation of safe modules through the (make-module) function works well in Guile 1.8 as far as I have been able to see - I have been able to run a Scheme script for TeXmacs where a part of it depends on that function and the (eval expression module) function for "safe execution"; I did not need to put either define or set! in the list of the allowed symbols. Of course I am not able to evaluate how safe the "safe modules" are :-)

For Guile 2 (I tried with 2.2.3) there are other functions (make-sandbox-module and eval-in-sandbox). I tried them with the "TeXmacs for Guile 3.0" that Max posted in March and I got stuck (from the error messages I gathered that Guile needs as an allowed symbol the name of the main function TeXmacs is calling); at any rate any investigation of this is probably best postponed to when TeXmacs 2.2 (with Guile 2/3) will be there.

I do not have a clear picture of how these things work but it may be that the infrastructure for safe execution in Guile 2 is "safer" (between quotes: again, I do not know what safer means in this context ;-) ) than in Guile 1.8.



On 09.05.20 20:55, Giovanni Piredda wrote:
This is a bit long, please be patient :-), I hope it is useful.

A few weeks ago Massimiliano suggested me to look into how to limit which commands can be executed in a piece of otherwise arbitrary Guile code (http://lists.texmacs.org/wws/arc/texmacs-users/2020-03/msg00146.html and following). This would help make safer some Scheme programs for TeXmacs.

In that discussion we were referring to a code which serves to send to TeXmacs a graphics expression. Since I want that the graphics expression be arbitrary, then the code calls "load" onto a user-specified file which "should" contain graphics commands.

I have looked into the filtering of commands and found a way to do it, starting from https://www.mail-archive.com/address@hidden/msg00963.html (found with a Google search). I write here about it to get if possible some suggestions; not everything works and I have to think about it quite a while longer to make something sensible. The questions are after the description.

There is another way based on (make-root-module) (I found the code for it in a past version of Guile) but one thing at a time. I am using Guile 2.2.3.

--- Description

make-module defines a module without bindings, one has to add them.

I tested:

(define (make-pure-math-module)
               (let ((m (make-module)))
               (module-define! m '* *)
               (module-define! m 'load load)

following up with a call

(eval '(load "testEvalLoad.scm") (make-pure-math-module))

where testEvalLoad.scm contains

(* 2 2)

or it contains

(+ 2 2)

The loading of the file with the first command succeeds, with the second fails: so far, so good.

Now the

--- Questions:


I cannot add either define or set! to the bindings:

(define (make-pure-math-module)
               (let ((m (make-module)))
               (module-define! m '* *)
               (module-define! m 'load load)
           (module-define! m 'define define)

fails with

Syntax error:
unknown location: unexpected syntax in form define

How to circumvent this? Having define available would help.


Maybe incompatible with 1)

The language that comes out of the filtering should not be too "strong": I do not want that it is able to redefine "forbidden" functions using "allowed" ones. Any ideas? Perhaps I should keep "define" out of it?

Texmacs-dev mailing list

reply via email to

[Prev in Thread] Current Thread [Next in Thread]