I've now closed two more security holes:
1. By setting an evil "browser-app" property and opening the browser
help aircraft from questionable sources could execute arbitrary
code in the calling shell under Unix:
setprop("/sim/startup/browser-app", "rm -rf " ~ getprop("/sim/fg-home"));
fgcommand("helpCb");
This is no longer possible. The browser is ATM still started with
system(), but the definition in preferences.xml is write protected
and can only be overridden via --prop:sim/startup/browser-app
command line option, but not by other XML files, such as aircraft
*-set.xml files. Also, the string is evaluated before the first
user-Nasal-code runs, while later changes to the property have no
effect. (TODO: consider using (v)fork()/execvp() instead of system())
2. One could use fgcommand() "savexml" to overwrite arbitrary
writable XML files, and "save" to overwrite arbitrary writable
files. That's not as dangerous as io.open() was, but an overwritten
~/.fgfs/autosave.xml or ~/.fgfs/preferences.xml would still be
an annoyance.)
Both are now treated the same way (and by the same code) as
io.open(). "save" and "load" enforce an extension ".sav" (which
traditionally was the extension for such files). Rules in
$FG_ROOT/Nasal/IOrules restrict the use of these commands
further.
These changes close the last security holes that I was aware of.
Note that the path checking is done by io.nas under Nasal even
for the C++ parts. That made the most sense for now, as closing
the holes had priority, but it doesn't mean that we have to stick
with that approach.
m.
PS: all expoits are still possible under v1.0, so watch out! :-)
-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
_______________________________________________
Flightgear-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/flightgear-devel
