help-octave
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FW: [ANNOUNCE] Web-Octave Ready For Test


From: John W. Eaton
Subject: Re: FW: [ANNOUNCE] Web-Octave Ready For Test
Date: Mon, 27 Nov 2000 13:01:39 -0600

On 27-Nov-2000, Ben Sapp <address@hidden> wrote:

| > I have developed a Web Interface to octave, allowing octave to be used on 
any
| > platform with a graphical - javascript enabled web browser.  I will be 
making
| > this code public, but I would like to get any bugs out before I release the
| > code.  If you would like to test it out here is the URL:
| > 
| > http://tech-research.buffalostate.edu/cgi-bin/sbox/Šþoctave/octave.pl
| > 
| > PLEASE send me any problems which you encounter.
| > 
| 
| graw should be removed from the list of acceptable commands.   Someone
| could do nasty things with it.   I was able to execute system commands
| with it.(Though, I was nice.)  
| 
| I would have preferred to send this directly to the author but the email
| I obtained for him did not work -> address@hidden@localnet.com

I think that trying to remove commands is not the right approach.  It
doesn't prevent people from using things like

  eval (setstr (some_vector))

where some_vector contains the ascii codes for something bad, like
"system ('rm -rf /')".  There are legitimate uses of eval, so removing
it is probably not a good solution either.

Instead, you should probably try to ensure that Octave is running in a
safe environment, probably by either linking with a safe version of
the system libraries (file creation and removal are allowed, but only
if certain conditions are met, for example) or by running Octave
inside a safe chroot environment, or both.

William Schelter (http://www.ma.utexas.edu/users/wfs/) did this with
his Netmath system.  The sources for his safe library (which should
work on Linux systems) are available at
ftp://ftp.ma.utexas.edu/pub/maxima/libsafe.tgz.

jwe



-------------------------------------------------------------
Octave is freely available under the terms of the GNU GPL.

Octave's home on the web:  http://www.octave.org
How to fund new projects:  http://www.octave.org/funding.html
Subscription information:  http://www.octave.org/archive.html
-------------------------------------------------------------



reply via email to

[Prev in Thread] Current Thread [Next in Thread]