Andrei Alexandrescu wrote:
Georg Wrede wrote:
Walter Bright wrote:
Daniel Keep wrote:
It should be noted that this is really no different to executing
arbitrary code on a machine. That said, compiling a program is not
typically thought of as "executing" code, so some restrictions in this
case would probably be prudent.
Here's the scenario I'm concerned about. Let's say you set up a
website that instead of supporting javascript, supports D used as a
scripting language. The site thus must run the D compiler on the
source code. When it executes the resulting code, that execution
presumably will run in a "sandbox" at a low privilege level.
But the compiler itself will be part of the server software, and may
run at a higher privilege. The import feature could possible read any
file in the system, inserting it into the executable being built. The
running executable could then supply this information to the
attacker, even though it is sandboxed.
This is why even using the import file feature must be explicitly
enabled by a compiler switch, and which directories it can read must
also be explicitly set with a compiler switch. Presumably, it's a lot
easier for the server software to control the compiler switches than
to parse the D code looking for obfuscated file imports.
As almost everybody else here, I've maintained a couple of websites.
Using D to write CGI programs (that are compiled, real binaries) is
appealing, but I'd never even think about having the web server itself
use the D compiler!!!
I mean, how often do you see web sites where stuff is fed to a C
compiler and the resulting programs run????? (Yes it's too slow, but
that's hardly the point here.) That is simply not done.
Of course it is, probably just not in C. Last time I looked, there are
two concepts around, one of "statically-generated dynamic pages" and one
of "entirely dynamic pages". I know because I installed an Apache server
and at that time support for statically-generated dynamic pages was new.
What that means is this:
a) statically-generated dynamic = you generate the page once, it's good
until the source of the page changes;
b) "really" dynamic page = you generate the page at each request.
Have you ever done web development? If so, did you actually do *code
generation* on each page request? If so, I never want to work with you.
Web applications in compiled languages pretty much never invoke the
compiler when they're running. Very few programs need a compiler on the
machine they're deployed to. It's a security risk, and it's an unneeded
dependency, and it pretty much guarantees a maintenance and debugging
problem, and it promises performance issues.
