Helge Hafting wrote: > According to > http://stackoverflow.com/questions/10937597/security-risks-of-gnuplot-web-interface > > , > gnuplot can be built "safer" by disabling pipe operations. That leaves the > unsafe commands "shell", "system" and "!", but a simple shellscript using > "grep" can check for these 3 commands and refuse to run gnuplot on a file > that contains any of them. Is that safe enough?
Opening doors for hacks like s\ystem or whatever weird might be possible with gnuplot syntax. Homebrew solutions are at the end just waiting for someone who has enough twisted mind to see things you don't catch. > I can understand that devs might not want to create a "safe gnuplot" > because pipes and "shell/system" are useful commands. Apparently they are > also against having --safe-mode switch, even though it wouldn't impact > those not using this switch. --safe-mode would be solution I would consider 'safe' and as I infer from your mail gnuplots devs did not change their opinion about it... I just read that alpha go was smugled into online Go platforms and won 50 games in row over number of world champions, some stronger than Lee Sedol last year. I hope some 'unknown' developer appears in gnuplot list and let it pass. Alpha, do you hear me? Pavel
