[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FW: [ANNOUNCE] Web-Octave Ready For Test

From: John W. Eaton
Subject: Re: FW: [ANNOUNCE] Web-Octave Ready For Test
Date: Mon, 27 Nov 2000 13:01:39 -0600

On 27-Nov-2000, Ben Sapp <address@hidden> wrote:

| > I have developed a Web Interface to octave, allowing octave to be used on 
| > platform with a graphical - javascript enabled web browser.  I will be 
| > this code public, but I would like to get any bugs out before I release the
| > code.  If you would like to test it out here is the URL:
| > 
| >Šþoctave/
| > 
| > PLEASE send me any problems which you encounter.
| > 
| graw should be removed from the list of acceptable commands.   Someone
| could do nasty things with it.   I was able to execute system commands
| with it.(Though, I was nice.)  
| I would have preferred to send this directly to the author but the email
| I obtained for him did not work ->

I think that trying to remove commands is not the right approach.  It
doesn't prevent people from using things like

  eval (setstr (some_vector))

where some_vector contains the ascii codes for something bad, like
"system ('rm -rf /')".  There are legitimate uses of eval, so removing
it is probably not a good solution either.

Instead, you should probably try to ensure that Octave is running in a
safe environment, probably by either linking with a safe version of
the system libraries (file creation and removal are allowed, but only
if certain conditions are met, for example) or by running Octave
inside a safe chroot environment, or both.

William Schelter ( did this with
his Netmath system.  The sources for his safe library (which should
work on Linux systems) are available at


Octave is freely available under the terms of the GNU GPL.

Octave's home on the web:
How to fund new projects:
Subscription information:

reply via email to

[Prev in Thread] Current Thread [Next in Thread]