Hi, On Mon, 06 Jul 2015 11:42:55 +1000 Carl Suster <[email protected]> wrote: > I am in the process of packaging the new upstream version of plowshare. > There has been a significant change so that the core framework (of shell > scripts) is kept entirely separate to the scripts which use this API to > implement support for specific external sites. Once this new version is > available in the archives (it will have to go through the NEW queue > because of the split into separate packages), I will be able to audit > the code more carefully and isolate any javascript snippets. Hence I'll > defer addressing this bug until the new package is ready.
plowshare4 is part of a stable Debian release so the new upstream version won't help there. There doesn't seem to be a difference between version 1 and 2 on how Javascript is handled anyway. The modules parse Javascript code from a website and call javascript() which is located in core.sh. That leaves two options: 1) Figure out how to make rhino run the javascript code in a sandbox. 2) Add a patch to disable Javascript code evaluation (probably breaking some modules). Felix -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
