Menu
▾
▴
[Treebase-devel] MESQUITE instructions block in nexus files
|
From: Vladimir G. <vla...@du...> - 2010-02-03 23:50:19
|
On Feb 3, 2010, at 5:07 PM, William Piel wrote: > (I just thought of something: nexus files written by Mesquite > contain a Mesquite block with instructions that tell Mesquite what > to do. In theory, someone could pack the Mesquite block with > instructions to perform a heavy analysis or to do something stupid. > This might be a security issue -- perhaps we need to take care that > Mesquite blocks are ignored by our headless Mesquite. For example, > if the first thing we do after receiving the file is "$text =~ s/ > $Begin MESQUITE;/Begin DO_NOT_EXECUTE;/ig" that would help to patch > this security hole). My understanding was that the only part of Mesquite that is being used is its nexus parser. Under common-sense software design, this should not involve execution. If you do have reasons for concern, I'd first suggest testing whether it's indeed a problem. Could you come up with a nexus file with an instruction block that does something obvious (e.g. creates a Hello file at a specified location) when run through headless mesquite directly, and then run it just through the parser to see whether the action still happens? --VG |
