#6017: Reading ./.ghci files raises security issues
---------------------------------+------------------------------------------
Reporter: nomeata | Owner: pminten
Type: task | Status: patch
Priority: high | Milestone: 7.8.1
Component: GHCi | Version: 7.4.1
Keywords: | Os: Unknown/Multiple
Architecture: Unknown/Multiple | Failure: Other
Difficulty: Unknown | Testcase:
Blockedby: | Blocking:
Related: |
---------------------------------+------------------------------------------
Comment(by pminten):
There is also the question what you want to check with the
blacklist/whitelist mechanism. The .ghci files can be divided into three
categories: explicitely passed (-ghci-script), standard location (~/.ghci,
~/.ghc/ghci.conf) and current directory. Also .ghci files can source other
.ghci files using :script (with arbitrary names, don't need to be called
.ghci obviously).
The patch simply says that if only files in the current directory are a
threat and that if the user approves such a file the trust in that file
cascades to whatever files are sourced.
With the patch the "/foo/bar/ghci-config" in your example wouldn't need to
be whitelisted because the only way for it to be loaded is through -ghci-
script (in which case it would be trusted) or by another file (in which
case it would inherit the trustedness).
Having a way to configure the default blacklist approach is a good idea
but if the blacklist is expanded as you seem to suggest a single knob
probably won't suffice. There's a very good chance the user doesn't want
the blacklist mechanism to ask for files (s)he explicitly requests to be
loaded. So you'd get at least two settings. But you may also want to have
a knob for the files loaded by .ghci files, the user may not appreciate
being asked for every included file.
There would be at least 4 knobs. But I suspect all but one would have a
default that nobody changes. For files the user explicitly passes and
files included by those the default would be allow. For files included by
not automatically trusted files the default would be to allow them if the
including file is allowed (if that file can be nasty you already have the
security problem). So only the not automatically trusted files (the .ghci
files) in the current directory would need a knob.
One could imagine that files on a blacklist are rejected even if the user
asks for them, this could be a knob too.
With this reasoning you'd get at most 2 knobs and a lot of hardcoded
behaviour. Of course if there are situations where you'd want something
different than the defaults indicated above the reasoning doesn't apply.
--
Ticket URL: <http://hackage.haskell.org/trac/ghc/ticket/6017#comment:7>
GHC <http://www.haskell.org/ghc/>
The Glasgow Haskell Compiler
_______________________________________________
Glasgow-haskell-bugs mailing list
Glasgow-haskell-bugs@haskell.org
http://www.haskell.org/mailman/listinfo/glasgow-haskell-bugs
