#6017: Reading ./.ghci files raises security issues
------------------------------+---------------------------------------------
Reporter: nomeata | Owner:
Type: task | Status: new
Priority: normal | Component: GHCi
Version: 7.4.1 | Keywords:
Os: Unknown/Multiple | Architecture: Unknown/Multiple
Failure: Other | Testcase:
Blockedby: | Blocking:
Related: |
------------------------------+---------------------------------------------
GHCi will execute .ghci files in the current directory, and this can be
used to run arbitrary shell commands.
It seems to me that most people would not expect that running "ghci" in a
directory can cause arbitrary commands to be executed. This could be a
security issue, e.g. running ghci in a just downloaded software package
with a rouge .ghci file.
Also it affects invocations "ghc -e", which conceivably could be used in
aliases or scripts for some action unrelated to running a ghci session, as
in http://www.joachim-breitner.de/blog/archives/156-Haskell-on-the-
Command-Line.html
I just noticed that it will not read files in directories not owned by you
and warn you about it (e.g. in /tmp), which is a good start. But this does
not help against files in packaged repositories.
Maybe ghci could keep a white-list of files somewhere in ~/.ghci and ask
if it should execute a .ghci file that has not been encountered before.
Alternatively (and more work) a safe subset of options (such as inclusion
paths) could be identified and only those would be allowed in ./.ghci,
while ~/.ghci allows all commands.
--
Ticket URL: <http://hackage.haskell.org/trac/ghc/ticket/6017>
GHC <http://www.haskell.org/ghc/>
The Glasgow Haskell Compiler
_______________________________________________
Glasgow-haskell-bugs mailing list
[email protected]
http://www.haskell.org/mailman/listinfo/glasgow-haskell-bugs
