Re: Sharing scripts

[Jaroslav Hajek]

On Sun, Mar 14, 2010 at 12:15 PM, MathCloud <address@hidden> wrote:
>
> Hi Sören,
>
> The service is free to use, just sign up and give it a try. Right now there
> is still quite a few bugs but I hope to get rid of them soon. Also, the user
> interface will be improved.
>
> Major issues at this point:
> - Does not work with firefox browser
> - You can only plot from the command line, not in scripts
> - You will only get the printing from your script after it has finished, you
> can't print to check progress.
>
> I will fix these problems as soon as possible.
>
> I am not sure what you mean by making the source code available? You mean
> the code that implements the web interface? If so, that is not my intention
> at this point.
>
> I hope you will try this service and find it useful!
>
> Best regards,
>
> Anders
> MathCloud.se
>


Hi,

I just did some testing. I see you are now filtering system-related
words like "system". There are still problems, though:
1. You seem to always simply filter the whole line. This forbids also
harmless stuff like
text = "I hate this system";
2. It's still not enough. For instance, I was able to call system by
things like this:
sys = ["sys", "tem"];
feval (sys, "<any system command>")

To combat this, you would need to also forbid feval and eval
completely, but I think that's going to cripple the interpreter.
The thing is that parsing the commands correctly is a complicated
business. It would be much better if the potentially harmful calls
were filtered directly in Octave, i.e. if Octave provided a
"restricted" interpreter mode. What do you think?


ps. apparently I screwed something up while trying, because I'm now
getting the output
fid = 4
for any input I send. I hope you'll sort it out.


-- 
RNDr. Jaroslav Hajek, PhD
computing expert & GNU Octave developer
Aeronautical Research and Test Institute (VZLU)
Prague, Czech Republic
url: www.highegg.matfyz.cz