That is an interesting problem. It would be nice to have sandboxing. I'm writing to point out that there has been an attempt to make "out-of-the-box" sandboxing work. The modules (ice-9 safe) and (ice-9 safe-r5rs) should be sandboxed environments, I think. (I encountered them while looking for undocumented modules.) There's also the (ice-9 null) module, which gives an environment with only the basic syntax and no procedures at all.
Noah On Sun, May 6, 2012 at 2:17 PM, Mark H Weaver <m...@netris.org> wrote: > Hello all, > > Every once in a while someone asks about secure sandboxing with Guile, > and generally the response is that it should be fairly easy, by creating > a module with carefully selected bindings, but there's nothing ready > "out of the box". > > I just realized that psyntax has a security hole that prevents secure > sandboxing, and wanted to post this fact before it was forgotten. > > The problem is that psyntax accepts syntax-objects in the input, and > syntax-objects are simply vectors (or sexps containing vectors). > Therefore, it is always possible to _forge_ syntax-objects that refer to > arbitrary bindings in arbitrary modules, even if the usual bindings of > '@' and '@@' are not available. > > In particular (although this is an internal implementation detail that > you cannot rely upon!) in Guile 2.0 the following two expressions are > treated equivalently: > > (@@ (ice-9 popen) open-pipe*) > > #(syntax-object open-pipe* ((top)) (hygiene ice-9 popen)) > > I don't think we can plug this hole until 2.2. > > Mark >