On Mon, Nov 4, 2013 at 7:28 AM, Christophe Bal <projet...@gmail.com> wrote: > Thanks. Where all of this I'd implemented ?
Don't worry about it further -- I'll fix the parsing bug that you found sometime this week. If you find any further bugs anywhere in cloud.sagemath.com, please don't hesitate to report them! Thanks again, William > > Le 4 nov. 2013 15:20, "William Stein" <wst...@gmail.com> a écrit : > >> On Mon, Nov 4, 2013 at 6:04 AM, Christophe Bal <projet...@gmail.com> >> wrote: >> > Indeed there are small security problems and big ones. The use of eval >> > or >> > exec can cause real big problems. I'll try to show that in private. Not >> > here... I'm not sure to do such a hack but if the actual version uses >> > exec >> > or eval, it would be possible. >> > >> > My remark is just to help and not to criticize freely. Sorry for my >> > English >> > because this is not my natural language. >> > >> >> Fortunately, in the context of https://cloud.sagemath.com there are >> absolutely no security issues associated with using exec, eval, etc. >> This is because all relevant Python code is run in an isolated virtual >> machine, in which the user is explicitly given -- by the security >> model -- full shell access (in that VM). That's made clear in this >> case, since there is literally a terminal in cloud.sagemath. >> >> There are other contexts where exec/eval must be avoided, but this >> isn't one of them, fortunately. >> >> William >> >> >> > Best regards. >> > Christophe >> > >> > Le 4 nov. 2013 09:46, "Nils Bruin" <nbr...@sfu.ca> a écrit : >> > >> >> On Sunday, November 3, 2013 11:19:45 PM UTC-8, projetmbc wrote: >> >>> >> >>> The use of AST is a pretty way BUT you must not use eval or exec >> >>> because >> >>> of real security issues. It's easy to find explanations about that on >> >>> the >> >>> web. >> >> >> >> >> >> If you read these explanations, you'll see that by the same logic, you >> >> shouldn't run a notebook server because of real security issues (and if >> >> you >> >> don't understand that, then you should indeed not run a notebook server >> >> accessible to other people). The code that is input into a notebook is >> >> already run via something equivalent to exec (try and think of another >> >> way >> >> of letting sage do what it does). The code proposed is not less secure >> >> than >> >> what we're already doing in the notebook. >> >> >> >> -- >> >> You received this message because you are subscribed to the Google >> >> Groups >> >> "sage-support" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> >> an >> >> email to sage-support+unsubscr...@googlegroups.com. >> >> To post to this group, send email to sage-support@googlegroups.com. >> >> Visit this group at http://groups.google.com/group/sage-support. >> >> For more options, visit https://groups.google.com/groups/opt_out. >> > >> > -- >> > You received this message because you are subscribed to the Google >> > Groups >> > "sage-support" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to sage-support+unsubscr...@googlegroups.com. >> > To post to this group, send email to sage-support@googlegroups.com. >> > Visit this group at http://groups.google.com/group/sage-support. >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> >> >> -- >> William Stein >> Professor of Mathematics >> University of Washington >> http://wstein.org >> >> -- >> You received this message because you are subscribed to the Google Groups >> "sage-support" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to sage-support+unsubscr...@googlegroups.com. >> To post to this group, send email to sage-support@googlegroups.com. >> Visit this group at http://groups.google.com/group/sage-support. >> For more options, visit https://groups.google.com/groups/opt_out. > > -- > You received this message because you are subscribed to the Google Groups > "sage-support" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to sage-support+unsubscr...@googlegroups.com. > To post to this group, send email to sage-support@googlegroups.com. > Visit this group at http://groups.google.com/group/sage-support. > For more options, visit https://groups.google.com/groups/opt_out. -- William Stein Professor of Mathematics University of Washington http://wstein.org -- You received this message because you are subscribed to the Google Groups "sage-support" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-support+unsubscr...@googlegroups.com. To post to this group, send email to sage-support@googlegroups.com. Visit this group at http://groups.google.com/group/sage-support. For more options, visit https://groups.google.com/groups/opt_out.
