Menu
▾
▴
Re: disabling 'insecure' parts of gnuplot file
|
From: Hans-Bernhard B. <br...@ph...> - 2004-08-31 20:55:47
|
Arun Persaud wrote: > How about disabling the "!" command completely and checking that the > output file is in the right directory... deleting the "< ..." option > for input files might also be a good thing... As Ethan already pointed out, that would run into serious usability problems. > shouldn't be too much work to delete the right lines in the source code... Deleting them: no, that wouldn't be hard. But *finding* them would be, esp. if you want to be sure you found not just some of the relevant lines, but strictly *all* of them. Miss just one, and you've turned a known-insecure program into a presumably secure one with a hole. That would be rather the opposite of an improvement. > I'm not sure though in what other ways you could trick gnuplot to do > dangerous things... Neither are we. That's why I wrote that there are no way of doing that is foreseen in the source. This would require a full-blown audit of the entire code, and IMHO neither the team nor the code is in the condition that would warrant trying that. |
