On 16 Jun 2008, at 18:37, Eddie Kohler wrote: > A quick question. I've justed added a handler to Click's Script > element, > accessible at userlevel, called "cat". This handler reads a file > and returns > its contents. For example: > > Script(set x $(cat /tmp/f)) > > sets the script's "$x" variable to the contents of /tmp/f. > > This is pretty useful, but also potentially dangerous, since anyone > who can > call the Script's "cat" handler can read any file accessible to the > click > program. I am wondering if anyone finds this dangerous -- for > example if > someone is running ControlSocket. One possibility would be to make > "cat" > accessible within the config, and not from ControlSocket.
Hi Eddie, Could you give an example of where this might be useful? I think there is a large coupling between your system and your router if you need this, but perhaps I'm mistaken. I personally think it's dangerous, as a ControlSocket has no authentication at all. For now that's not really a problem because of the limited capabilities of a router, but it would become more dangerous. We would have to be very careful not to write any code that might result in that script being called. Also in new elements... On the other hand, if one already runs Click as root, you should know the implied dangers. Regards, Bart -- Bart Braem PATS research group - IBBT Dept. of Mathematics and Computer Sciences University of Antwerp Campus Middelheim, G2.36 Middelheimlaan 1 B-2020 Antwerpen, Belgium Phone: +32 (0)3 265.32.91 Fax: +32 (0)3 265.37.77 Web: www.pats.ua.ac.be _______________________________________________ click mailing list [email protected] https://amsterdam.lcs.mit.edu/mailman/listinfo/click
