report in python, a first version
Geert Janssens
geert.gnucash at kobaltwit.be
Thu Nov 17 03:46:53 EST 2016
On Wednesday 16 November 2016 17:57:27 John Ralls wrote:
> > On Nov 16, 2016, at 2:19 PM, Sébastien de Menten
> > <sdementen at gmail.com> wrote: Still hoping *complexity* is not
> > considered a feature ;-)
> >
> > > It's the html string that I'm particularly worried about, because
> > > that gets you to a well-known library with lots of well-known and
> > > well-documented vulnerabilities [1] and it's well-known that we
> > > we use an obsolete version. That's a very easy and tempting
> > > target.>
> > Am I wrong or any guile report is already able to send explicitly
> > any html string ? Isn't this vulnerability already there today ?
> > The fact that the html string is generated by guile in scheme or by
> > guile after having called an external process doesn't make a
> > difference to me ... or I am missing the elephant in the room ?>
> > > I'm utterly agnostic about what format the report-config file is,
> > > but since Guile already knows how to read XML [2] and the fewer
> > > dependencies the better, I'd lean towards that.>
> > Indeed, I had no success in using guile json but am no guile expert.
> >
> > > Yes, having a Guile interpreter is also a security hole, though
> > > less well known and with a much smaller attack surface than
> > > WebKit. I'll be very happy indeed when it's no longer central to
> > > GnuCash.>
> > As written, the vulnerabilities are both in guile (as it can execute
> > any command in your system) and in the report approach that will
> > accept any html string (and use a webkit vulnerability)
> Sébastien,
>
> Not a feature necessarily, but in many cases reasonable because
> GnuCash addresses a complex set of problems and strives to make them
> easier for the user to deal with. Avoiding that complexity because
> it's "too hard" just creates a simplistic solution that doesn't blend
> with the rest of the program and fails to address the user's needs.
>
> I don't know if it's an elephant, but regardless of the
> vulnerabilities already present in GnuCash you're proposing to open
> another one.
>
Fully agreed.
Geert
More information about the gnucash-devel
mailing list