Security implications of loading custom reports

Derek Atkins warlord at MIT.EDU
Thu Oct 23 12:25:15 EDT 2014


John Ralls <jralls at ceridwen.us> writes:

>> I'm not sure this is possible in guile only. A report is written as
>> a guile module. Loading the module already executes code
>> (gnc:define-report). That code can be abused do bad things when
>> loading a custom report.
>
> Wow. That’s an incredible failure for something that’s promoted as an
> application scripting language.

I'm not sure that people care about security when you're modifying your
own application.  Similarly, emacs' e-lisp lets you get into pretty much
any part of the application.  That's not considered a failure, either.
It's a feature.

We could limit the "damage" by limiting which APIs are available.  But
it's a turing-complete language so you could do anything.

I just don't see the reason to rework all this.  What's the threat
you're trying to prevent (other than "broken report crashes the app --
which we should fix by catching the exception).

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available



More information about the gnucash-devel mailing list