[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [bug-gawk] Sandbox improvements
From: |
arnold |
Subject: |
Re: [bug-gawk] Sandbox improvements |
Date: |
Tue, 30 Apr 2019 14:05:26 -0600 |
User-agent: |
Heirloom mailx 12.5 7/5/10 |
Hi.
Thanks for your note. Your point about being able to change ARGV
is a good one; I will look into disallowing it in sandbox mode.
I will admit that I don't really understand what you're looking for
with the other suggestions; they sound difficult to implement.
(Of course, patches are welcome and will be reviewed.)
Thanks,
Arnold
Nolan Woods <address@hidden> wrote:
> Hi, thank you for such a great tool.
>
>
> The sandbox functionality of gawk is great, but it needs significant
> improvements.
>
> Even with sandbox, arbitrary files can be read using the following code:
>
> BEGIN {
> ARGV[ARGC]="/etc/passwd";
> ARGC++;
> }1
>
>
> Argument rewriting is an important feature as it allows controlling
> execution (like the example rewind() function).
>
> I would like to propose that a list of original argument paths be used
> as a whitelist for all functions.
>
> It would be ideal to relax the restrictions on the currently sandboxed
> functions as accessing internet resources is a useful feature that would
> not affect the local system.
> --
> Bioinformatically yours,
>
> Nolan Woods[X]
> Bioinformatics | Brinkman Laboratories
> Simon Fraser University | Key Big Data Hub
> 8888 University Dr., Burnaby, B.C. V5A 1S6
> T: 778.782.5097 | http://www.brinkman.mbb.sfu.ca/
> [Simon Fraser University]