[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Psyntax security hole prevents secure sandboxing in Guile
|
From: |
Mark H Weaver |
|
Subject: |
Psyntax security hole prevents secure sandboxing in Guile |
|
Date: |
Sun, 06 May 2012 14:17:09 -0400 |
Hello all,
Every once in a while someone asks about secure sandboxing with Guile,
and generally the response is that it should be fairly easy, by creating
a module with carefully selected bindings, but there's nothing ready
"out of the box".
I just realized that psyntax has a security hole that prevents secure
sandboxing, and wanted to post this fact before it was forgotten.
The problem is that psyntax accepts syntax-objects in the input, and
syntax-objects are simply vectors (or sexps containing vectors).
Therefore, it is always possible to _forge_ syntax-objects that refer to
arbitrary bindings in arbitrary modules, even if the usual bindings of
'@' and '@@' are not available.
In particular (although this is an internal implementation detail that
you cannot rely upon!) in Guile 2.0 the following two expressions are
treated equivalently:
(@@ (ice-9 popen) open-pipe*)
#(syntax-object open-pipe* ((top)) (hygiene ice-9 popen))
I don't think we can plug this hole until 2.2.
Mark
- Psyntax security hole prevents secure sandboxing in Guile,
Mark H Weaver <=