On Mon, Feb 13, 2012 at 9:26 PM, Leo Razoumov <slonik...@gmail.com> wrote:
> > Are TH1 and Tcl interpreters properly sand-boxed? Otherwise, > downloading and running random scripts found in some random repos does > not strike me as a sound security. > > The only actions TH1 can take are to output text or HTML into designated areas of a webpage. TH1 cannot change the repository, cannot write to the disk, cannot open network connections, cannot read content from external sources, cannot consume large amounts of memory, cannot loop, and cannot call external programs or software. TH1 is not a serious threat for malware. TCL can do more mischief, but it is only enabled if you compile with FOSSIL_ENABLE_TCL, which is off by default, and if you either set the "tcl" property on your repository or have the TH1_ENABLE_TCL environment variable set. Moving forward, I think I'll make further security enhancements along the following lines: (1) Disable the TH1_ENABLE_TCL environment variable. TCL script capability is only available if you enable it using the "tcl" property of the repository. (2) Default the "tcl" property to off on a clone, even if it is on in the parent repo. (3) Provide extra setup screens that make it easier to audit scripts for malware prior to enabling the "tcl" property. At the place where the "tcl" property is enabled, include text warning users of the potential dangers and provide buttons or links to places where the TCL script can be audited for security. (4) Scripts are only exchanged between repositories on a "fossil clone" or "fossil configuration pull/sync". For the latter, detailed warnings about changes to scripts and recommendations to redo audits might be in order. -- D. Richard Hipp d...@sqlite.org
_______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users