Re: Gnumeric/Guile/Python
- From: "Tuomas J. Lukka" <lukka fas harvard edu>
- To: Miguel de Icaza <miguel nuclecu unam mx>
- cc: dmiller ilogic com au, goldin flight uchicago edu, gnome-list gnome org
- Subject: Re: Gnumeric/Guile/Python
- Date: Wed, 26 May 1999 14:57:00 -0400 (EDT)
On Tue, 25 May 1999, Miguel de Icaza wrote:
>
> > > No, there is no way to do this. And for now I have no plans on doing
> > > this. Until we fully understand the implications of potential viruses
> > > transmited by this medium, I do think this is not a good idea.
> >
> > If guile or python code is limited to changing the current sheet only
> > and not modifying files or templates then there is no oppurtunity
> > for it to spread.
>
> And how are you going to do this? Once you are in Python land, there
> is no way to block any access to the file system or the network.
> Unless Python/Perl include some sort of sandbox setup.
At least Perl does
> > It is Microsoft's broken security model that causes secruity
> > nightmares such as Melissa, not the concept to embeddable code
> > itself.
>
> If I can put arbitrary code in Gnumeric, how would you stop this
> attack:
>
> =perl("unlink /etc/passwd;");
use Safe;
$s = Safe->new(...);
$s->eval($code);
should do it. Of course, this disallows file io completely.
Tuomas
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
