On Mon, 14 Aug 2023, Siddhesh Poyarekar wrote:
> 1. It makes it clear to users of the project the scope in which the project > could be used and what safety it could reasonably expect from the project. In > the context of GCC for example, it cannot expect the compiler to do a safety > check of untrusted sources; the compiler will consider #include "/etc/passwd" > just as valid code as #include <stdio.h> and as a result, the onus is on the > user environment to validate the input sources for safety. Whoa, no. We shouldn't make such statements unless we are prepared to explain to users how such validation can be practically implemented, which I'm sure we cannot in this case, due to future extensions such as the #embed directive, and ability to obfuscate filenames using the preprocessor. I think it would be more honest to say that crafted sources can result in arbitrary code execution with the privileges of the user invoking the compiler, and hence the operator may want to ensure that no sensitive data is available to that user (via measures ranging from plain UNIX permissions, to chroots, to virtual machines, to air-gapped computers, depending on threat model). Resource consumption is another good reason to sandbox compilers. Alexander
