> > """
> > Dear Sage user,
> >
> > just click on this link to see a proof of the Riemann hypothesis done in
> > Sage:
> >
> > http://localhost:8000/open_file/etc/passwd
> > """
>
> So? You could also type
Sorry, I meant to put some URL that is not localhost.
> os.system('cat /etc/passwd')
>
> in any notebook cell and cell exactly the same thing.
Yeah sure, if we're talking localhost only than everything is almost trivial.
However, the issue still is who's right to open the file are we invoking? The
user's (by letting the browser deal with the file reading/sending or the
server's (by calling open("/etc/passwd")). I think it should be the user's
since the server should not be able to read a user's $HOME if not run by the
user.
Bottomline: everything goes through the browser's file upload dialog anyway
and thus we don't have to worry about security implications.
Martin
--
name: Martin Albrecht
_pgp: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x8EF0DC99
_otr: 47F43D1A 5D68C36F 468BAEBA 640E8856 D7951CCF
_www: http://www.informatik.uni-bremen.de/~malb
_jab: martinralbre...@jabber.ccc.de
--~--~---------~--~----~------------~-------~--~----~
To post to this group, send email to sage-devel@googlegroups.com
To unsubscribe from this group, send email to
sage-devel-unsubscr...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/sage-devel
URLs: http://www.sagemath.org
-~----------~----~----~----~------~----~------~--~---
