Stuart Buchanan wrote: > Functionally, it seems reasonable to force all IO access through a > wrapper .nas file in $FG_ROOT/Nasal that could attempt to restrict > dangerous activities.
This is actually possible, albeit obtuse. In the existing io.nas file (which currently adds the soft-coded readfile() function to the module) you can write a loop that inspects all the local variables for functions (you can get the local variable hash as caller(0)[0]), and replace each one with a wrapper version that checks the calling file (again using caller()) against a "blessed" list. Then the problem becomes one of maintaining the "blessing" rules such that they are secure. We can try to handle the issue from the other side too: identify all the spots where strings come in from outside the $FG_ROOT directory and audit these to make sure they can never be used as a script. One *really* easy way to do this would be to override the compile() function in globals.nas with a non-functional version. But compile() is really useful in practice... Another option, obviously, would be to just disable the io module again. But I enabled it this time because a new release is still well-off, and this seemed like a good time for experimentation. Andy ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Flightgear-devel mailing list Flightgear-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/flightgear-devel