You could however limit every io.open to only have write access to a single directory as stated before, not allowing more sources...?
Then you could skip the .xml extention checks? As this would disable any modification outside the predefined directory. It could be set to something like FG_ROOT\storage or something? But I think I might have missed what the problem is here... I read that it was something with prop-tree and networking... Limiting writes to some directories would limit the damage that could result, but itsn't it better to try to limit what the io can do when it's invoked from a network context? But then there was some references to whatever you could trust downloaded models, but you shouldn't download models if you don't trust the source...? /Sven Melchior FRANZ wrote: > * Melchior FRANZ -- Monday 16 June 2008: > >> * Erik Hofman -- Monday 16 June 2008: >> >>> (What are the reasons to write to a file anyway?) >>> >> Writing non-<PropertyList> XML files, like they are used in the >> traffic manager and for flight plans. >> >> Writing *.stg files (adding models or adjusting elevations for >> the current terrain). >> > > Writing an *.svg file with a graphic showing the flight path, > or flight parameters. Or a smilie. > > Writing or modifying a PostScript file, for example to hand out > to children on LinuxTag or flight shows, with flight time and > duration automatically filled in. You could move that straight > to the printer. (Caution: an attacker could empty your toner > cartridge with that! ;-) > > Writing a TeX file with a table showing flight parameters, > fuel consumption, whatever. > > > None of this crucial, and all of it doable with external scripts > from XML exported data. But the possibility to do it with Nasal > drivers from within is nice. And something that other flight sims > might not be able to do. Maybe something that our corporate users > would like to do. They'll probably not download questionable > aircraft from 3rd party sources. :-) > > m. > > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services for > just about anything Open Source. > http://sourceforge.net/services/buy/index.php > _______________________________________________ > Flightgear-devel mailing list > Flightgear-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/flightgear-devel > ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Flightgear-devel mailing list Flightgear-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/flightgear-devel
