Can you demonstrate how to make this happen? Opening a file with these contents, for example, doesn't install anything.
#lang racket (require (planet planet/test-connection:1:0/test-connection)) As for automatically executing arbitrary code, I think you must mean something more precise here. Perhaps "code that hasn't already been explicitly installed"? If that's what you mean, then I think I'm also missing how this happens. Robby On Wed, Nov 27, 2013 at 4:42 PM, Jay McCarthy <j...@racket-lang.org> wrote: > There is an important change in this commit. Since we've created the > release branch for 6.0, I think we should stop automatically > installing and executing arbitrary code when people open files in > DrRacket. Currently the error message suggests using "raco planet" but > I think we need a bit of a GUI shim for other users. > > On Wed, Nov 27, 2013 at 3:40 PM, <j...@racket-lang.org> wrote: > > jay has updated `master' from 033065f632 to 60ae164d05. > > http://git.racket-lang.org/plt/033065f632..60ae164d05 > > > > =====[ 6 Commits ]====================================================== > > Directory summary: > > 57.6% pkgs/plt-services/meta/pkg-index/official/static/ > > 17.6% pkgs/plt-services/meta/pkg-index/official/ > > 22.0% racket/collects/planet/private/ > > > > ~~~~~~~~~~ > > > > 2413278 Jay McCarthy <j...@racket-lang.org> 2013-11-27 14:51 > > : > > | moving delete button > > : > > M .../meta/pkg-index/official/static/index.html | 2 ++ > > M .../meta/pkg-index/official/static/index.js | 16 > +++++++++------- > > M .../meta/pkg-index/official/static/style.css | 4 ++++ > > > > ~~~~~~~~~~ > > > > 113696c Jay McCarthy <j...@racket-lang.org> 2013-11-27 14:54 > > : > > | edit on lose focus > > : > > M pkgs/plt-services/meta/pkg-index/official/static/index.js | 4 +++- > > > > ~~~~~~~~~~ > > > > cf1755f Jay McCarthy <j...@racket-lang.org> 2013-11-27 15:19 > > : > > | Remove arbitrary code execution exploit from Racket and DrRacket > > | > > | This is particularly bad with DrRacket's online syntax checking, which > > | causes opening a file to download and executed aribtrary code. > > : > > M racket/collects/planet/private/resolver.rkt | 8 ++++---- > > > > ~~~~~~~~~~ > > > > 98df30c Jay McCarthy <j...@racket-lang.org> 2013-11-27 15:30 > > : > > | deleting static s3 content properly > > : > > M pkgs/plt-services/meta/pkg-index/official/static.rkt | 11 ++++++++++- > > > > ~~~~~~~~~~ > > > > 7b7a5ad Jay McCarthy <j...@racket-lang.org> 2013-11-27 15:33 > > : > > | increase pkg test timeout > > : > > M pkgs/plt-services/meta/props | 2 +- > > > > ~~~~~~~~~~ > > > > 60ae164 Jay McCarthy <j...@racket-lang.org> 2013-11-27 15:39 > > : > > | Removing add tag button when not logged in re mflatt > > : > > M pkgs/plt-services/meta/pkg-index/official/static/index.js | 11 > +++++++++-- > > M .../plt-services/meta/pkg-index/official/static/index.html | 2 +- > > > > =====[ Overall Diff ]=================================================== > > > > pkgs/plt-services/meta/pkg-index/official/static.rkt > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > --- OLD/pkgs/plt-services/meta/pkg-index/official/static.rkt > > +++ NEW/pkgs/plt-services/meta/pkg-index/official/static.rkt > > @@ -304,7 +304,16 @@ > > (cache "/pkgs" "pkgs") > > (cache "/pkgs-all" "pkgs-all") > > (for ([p (in-list pkg-list)]) > > - (cache (format "/pkg/~a" p) (format "pkg/~a" p)))) > > + (cache (format "/pkg/~a" p) (format "pkg/~a" p))) > > + > > + (let () > > + (define pkg-path (build-path static-path "pkg")) > > + (for ([f (in-list (directory-list pkg-path))] > > + #:unless (regexp-match #"json$" (path->string f)) > > + #:unless (member (path->string f) pkg-list)) > > + (with-handlers ([exn:fail:filesystem? void]) > > + (delete-file (build-path pkg-path f)) > > + (delete-file (build-path pkg-path (path-add-suffix f > #".json"))))))) > > > > (module+ main > > (require racket/cmdline) > > > > pkgs/plt-services/meta/pkg-index/official/static/index.html > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > --- OLD/pkgs/plt-services/meta/pkg-index/official/static/index.html > > +++ NEW/pkgs/plt-services/meta/pkg-index/official/static/index.html > > @@ -54,12 +54,14 @@ > > <tr><td>Last Edit:</td><td><span > id="pi_last_edit"></span></td></tr> > > <tr><td>Description:</td><td><span > id="pi_description"></span></td></tr> > > <tr><td>Tags:</td><td><span id="pi_tags"></span></td></tr> > > - <tr><td></td><td><input type="text" id="pi_add_tag_text" > class="text ui-widget-content ui-corner-all" /><button > id="pi_add_tag_button">Add Tag</button></td></tr> > > + <tr id="pi_add_tag_row"><td></td><td><input type="text" > id="pi_add_tag_text" class="text ui-widget-content ui-corner-all" /><button > id="pi_add_tag_button">Add Tag</button></td></tr> > > <tr id="pi_versions_row"><td>Versions Exceptions</td><td><table > id="pi_versions"></table></td></tr> > > <tr > id="pi_add_version_row"><td></td><td><label>Version:</label> <input > type="text" id="pi_add_version_text" class="text ui-widget-content > ui-corner-all" /><br /><label>Source:</label> <input type="text" > id="pi_add_version_source_text" class="text ui-widget-content > ui-corner-all" /><button id="pi_add_version_button">Add Version > Exception</button></td></tr> > > <tr id="pi_dependencies_row"><td>Dependencies</td><td><span > id="pi_dependencies"></span></td></tr> > > <tr id="pi_conflicts_row"><td>Conflicts</td><td><span > id="pi_conflicts"></span></td></tr> > > <tr><td>Modules</td><td><span id="pi_modules"></span></td></tr> > > + <tr id="pi_delete_row"><td colspan="2"><button > id="pi_delete_button">Delete > > + Package</button><br />(there is no undo!)</td></tr> > > </table> > > > > <div id="pi_install" class="install">Install this package > with:<br><br><tt>raco pkg install <span > id="pi_name_inst"></span></tt><br><br>or, with the 'File|Install > Package...' menu option in DrRacket.</div> > > > > pkgs/plt-services/meta/pkg-index/official/static/index.js > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > --- OLD/pkgs/plt-services/meta/pkg-index/official/static/index.js > > +++ NEW/pkgs/plt-services/meta/pkg-index/official/static/index.js > > @@ -8,6 +8,8 @@ function me () { > > return localStorage['email']; } > > > > $( document ).ready(function() { > > + var logged_in = false; > > + > > function jslink ( texts, clickf) { > > return $('<a>', { href: "javascript:void(0)", > > click: clickf } ).html(texts); } > > @@ -43,7 +45,7 @@ $( document ).ready(function() { > > update_package_on_list ( pkgi ); > > // console.log( pkgi ); > > change_hash( "[" + pkgi['name'] + "]" ); > > - > > + > > var mypkg_p = ($.inArray(me(), pkgi['authors'] ) != -1); > > > > function make_editbutton ( spot, initv, fun ) { > > @@ -56,17 +58,20 @@ $( document ).ready(function() { > > var it = $( "#" + spot + > "_text" ); > > it.keypress( function (e) { > > if (e.which == 13) { > fun (it.val()); } } ); > > + it.focusout( function (e) { > > + fun (it.val()); } ); > > it.val(initv).focus(); } ) > ); } } > > > > $( "#pi_name" ).text( pkgi['name'] ); > > make_editbutton ( "pi_name", pkgi['name'], submit_mod_name ); > > if ( mypkg_p ) { > > - $( "#pi_name" ).append( $('<button>') > > - .button({ icons: { primary: > "ui-icon-trash" } }) > > - .click( function (e) { > > - dynamic_pkgsend( > "/jsonp/package/del", { } ); > > - $(pkgi['dom_obj']).remove(); > > - > $("#package_info").dialog("close"); } ) ); } > > + $( "#pi_delete_button" ).click( function (e) { > > + dynamic_pkgsend( "/jsonp/package/del", { } ); > > + $(pkgi['dom_obj']).remove(); > > + $("#package_info").dialog("close"); } ); > > + $( "#pi_delete_row" ).show(); } > > + else { > > + $( "#pi_delete_row" ).hide(); } > > > > $( "#pi_name_inst" ).text( pkgi['name'] ); > > $( "#pi_ring" ).text( pkgi['ring'] ); > > @@ -104,6 +109,10 @@ $( document ).ready(function() { > > " "]; } > > else { > > return [tag, " "]; } } ) )); > > + if ( logged_in ) { > > + $( "#pi_add_tag_row" ).show(); } > > + else { > > + $( "#pi_add_tag_row" ).hide(); } > > > > $( "#pi_versions" ).html("").append( $.map( > Object.keys(pkgi['versions']).sort(), function ( v, vi ) { > > var vo = pkgi['versions'][v]; > > @@ -494,8 +503,10 @@ $( document ).ready(function() { > > $( "#login_code_row" ).hide(); > > > > function menu_logout () { > > + logged_in = false; > > $("#logout").html( jslink( "login", function () { $( "#login" > ).dialog( "open" ); } ) ); } > > function menu_loggedin ( curate_p ) { > > + logged_in = true; > > $("#logout").html("") > > .append( me(), > > ( curate_p ? [ " (", jslink( "curator", function > () { > > > > pkgs/plt-services/meta/pkg-index/official/static/style.css > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > --- OLD/pkgs/plt-services/meta/pkg-index/official/static/style.css > > +++ NEW/pkgs/plt-services/meta/pkg-index/official/static/style.css > > @@ -150,3 +150,7 @@ a.possible { > > text-align: center; > > color: red; > > } > > + > > +tr#pi_delete_row td { > > + text-align: center; > > +} > > > > pkgs/plt-services/meta/props > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > --- OLD/pkgs/plt-services/meta/props > > +++ NEW/pkgs/plt-services/meta/props > > @@ -1289,7 +1289,7 @@ path/s is either such a string or a list of them. > > "pkgs/racket-pkgs/racket-test/tests/openssl/basic.rkt" drdr:random #t > > "pkgs/racket-pkgs/racket-test/tests/pkg" responsible (jay) > drdr:command-line (mzc *) > > "pkgs/racket-pkgs/racket-test/tests/pkg/test-pkgs" drdr:command-line #f > > -"pkgs/racket-pkgs/racket-test/tests/pkg/test.rkt" drdr:command-line > (raco "test" *) drdr:timeout 600 > > +"pkgs/racket-pkgs/racket-test/tests/pkg/test.rkt" drdr:command-line > (raco "test" *) drdr:timeout 2400 > > "pkgs/racket-pkgs/racket-test/tests/racket" responsible (mflatt) > > "pkgs/racket-pkgs/racket-test/tests/racket/all.rktl" drdr:command-line > #f > > "pkgs/racket-pkgs/racket-test/tests/racket/basic.rktl" > drdr:command-line #f > > > > racket/collects/planet/private/resolver.rkt > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > --- OLD/racket/collects/planet/private/resolver.rkt > > +++ NEW/racket/collects/planet/private/resolver.rkt > > @@ -219,9 +219,9 @@ See the scribble documentation on the > planet/resolver module. > > (struct-out exn:fail:planet)) > > > > ;; if #f, will not install packages and instead raise a > exn:fail:install? error > > -(define install? (make-parameter #t)) > > +(define install? (make-parameter #f)) > > ;; if #f, will not download packages and instead raise a > exn:fail:install? error > > -(define download? (make-parameter #t)) > > +(define download? (make-parameter #f)) > > (define-struct (exn:fail:planet exn:fail) ()) > > > > ;; update doc index only once for a set of installs: > > @@ -541,7 +541,7 @@ See the scribble documentation on the > planet/resolver module. > > (unless (download?) > > (raise (make-exn:fail:planet > > (format > > - "PLaneT error: cannot download package ~s since the > download? parameter is set to #f" > > + "PLaneT error: cannot download package ~s without > permission. Give permission with download? parameter or use 'raco planet > install'" > > (list (car (pkg-spec-path pkg)) (pkg-spec-name pkg))) > > (current-continuation-marks)))) > > ((if (USE-HTTP-DOWNLOADS?) download-package/http > download-package/planet) > > @@ -577,7 +577,7 @@ See the scribble documentation on the > planet/resolver module. > > (unless (install?) > > (raise (make-exn:fail:planet > > (format > > - "PLaneT error: cannot install package ~s since the > install? parameter is set to #f" > > + "PLaneT error: cannot install package ~s without > permission. Give permission with download? parameter or use 'raco planet > install'" > > (list (car pkg-path) pkg-name maj min)) > > (current-continuation-marks)))) > > (define owner (car pkg-path)) > > _________________________ > Racket Developers list: > http://lists.racket-lang.org/dev >
_________________________ Racket Developers list: http://lists.racket-lang.org/dev