Security implications of loading custom reports
Derek Atkins
warlord at MIT.EDU
Thu Oct 23 12:25:15 EDT 2014
John Ralls <jralls at ceridwen.us> writes:
>> I'm not sure this is possible in guile only. A report is written as
>> a guile module. Loading the module already executes code
>> (gnc:define-report). That code can be abused do bad things when
>> loading a custom report.
>
> Wow. That’s an incredible failure for something that’s promoted as an
> application scripting language.
I'm not sure that people care about security when you're modifying your
own application. Similarly, emacs' e-lisp lets you get into pretty much
any part of the application. That's not considered a failure, either.
It's a feature.
We could limit the "damage" by limiting which APIs are available. But
it's a turing-complete language so you could do anything.
I just don't see the reason to rework all this. What's the threat
you're trying to prevent (other than "broken report crashes the app --
which we should fix by catching the exception).
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord at MIT.EDU PGP key available
More information about the gnucash-devel
mailing list