On Wed, Feb 15, 2012 at 11:15 PM, Nolan Darilek <no...@thewordnerd.info>wrote:
> So is it currently possible to use TH1 to generate dynamic webpages? > Could I use it to, say, select the last 5 events and display them on the > main page? Or is that still out of reach? > > Just curious, since it seems like there are lots of scripting > possibilities coming down the pipeline. > Thanks! > I was once open to this kind of thing. But since the security risks have been pointed out to me, I'm now very reluctant to do anything like this. > > > > On 02/14/2012 06:58 AM, Richard Hipp wrote: > > On Tue, Feb 14, 2012 at 7:53 AM, Richard Hipp <d...@sqlite.org> wrote: > >> >> On Mon, Feb 13, 2012 at 9:26 PM, Leo Razoumov <slonik...@gmail.com>wrote: >> >>> >>> Are TH1 and Tcl interpreters properly sand-boxed? Otherwise, >>> downloading and running random scripts found in some random repos does >>> not strike me as a sound security. >>> >>> >> The only actions TH1 can take are to output text or HTML into designated >> areas of a webpage. TH1 cannot change the repository, cannot write to the >> disk, cannot open network connections, cannot read content from external >> sources, cannot consume large amounts of memory, cannot loop, and cannot >> call external programs or software. TH1 is not a serious threat for >> malware. >> >> TCL can do more mischief, but it is only enabled if you compile with >> FOSSIL_ENABLE_TCL, which is off by default, and if you either set the "tcl" >> property on your repository or have the TH1_ENABLE_TCL environment variable >> set. >> >> Moving forward, I think I'll make further security enhancements along the >> following lines: >> >> (1) Disable the TH1_ENABLE_TCL environment variable. TCL script >> capability is only available if you enable it using the "tcl" property of >> the repository. >> >> (2) Default the "tcl" property to off on a clone, even if it is on in the >> parent repo. >> >> (3) Provide extra setup screens that make it easier to audit scripts for >> malware prior to enabling the "tcl" property. At the place where the "tcl" >> property is enabled, include text warning users of the potential dangers >> and provide buttons or links to places where the TCL script can be audited >> for security. >> >> (4) Scripts are only exchanged between repositories on a "fossil clone" >> or "fossil configuration pull/sync". For the latter, detailed warnings >> about changes to scripts and recommendations to redo audits might be in >> order. >> > > (5) If any script changes as a result of "fossil config pull" then the > "tcl" property is automatically moved to "off" and the operator is > notified. The "tcl" property must be turned back on by a separate manual > step, that includes a warning to make sure the modified scripts are secure. > > > >> >> -- >> D. Richard Hipp >> d...@sqlite.org >> > > > > -- > D. Richard Hipp > d...@sqlite.org > > > _______________________________________________ > fossil-users mailing > listfossil-users@lists.fossil-scm.orghttp://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users > > > > > _______________________________________________ > fossil-users mailing list > fossil-users@lists.fossil-scm.org > http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users > > -- D. Richard Hipp d...@sqlite.org
_______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
