Oops, sorry I missed the last sentence of your email. You are right. What's required however is some kind of security policy and for each ant task we should allow, a security analysis of whether it is considered "safe" or not.
For example, the <javadoc> task creates a bunch of files. What if someone configured it to write these files to /srv/www (or whatever your document root is) so that it overwrote your existing index.html? Etc. A larger issue is that the tasks that we currently do allow in "safe" mode are already questionably "safe". E.g., <move> and <copy> are already perfectly capable of obliterating any sensitive files you may have. So, it's worth thinking about the big picture. E.g., at one point I suggested getting rid of "safe" mode (because it's not really safe) and have things always work in "unrestricted" mode. But other folks didn't like that idea -- with good reason. In the short term, it's reasonable to suggest that since <javadoc> is no less safe than <move> or <copy> then it should be included as well. But before we go through each and every ant task maybe we should think about whether "safe" mode is really useful. -Archie On Mon, Mar 23, 2009 at 11:45 AM, Stephen Woods <[email protected]> wrote: > Well, yeah... I know that you can just set restricted="false" - I said > as much. But this opens the flood gates for all kinds of malicious > behavior. As far as I know, javadoc should be safe enough to run in > restricted mode. > > It would be nice to be able to run javadoc _without_ having to set > restricted to "false". > > > On Mon, Mar 23, 2009 at 9:15 AM, Archie Cobbs <[email protected]> > wrote: > > You can do this already. You just have to set restricted="false" in your > > configuration of the packager resolver. Documentation is > > here< > http://ant.apache.org/ivy/history/latest-milestone/resolver/packager.html> > > . > > > > -Archie > > > > On Sun, Mar 22, 2009 at 2:28 PM, Stephen Woods <[email protected]> > wrote: > > > >> The packager resolver limits the types of ant commands a packager uses > >> to build its appropriate artifacts. Many of the source distributions > >> do not bundle pre-generated javadoc, but they do bundle source. It > >> would be nice to be able to run the javadoc ant task during the > >> packaging process in order to make javadoc artifacts without needing > >> to set the restricted attribute to "false". Is it even possible to > >> compromise a system by running javadoc? > >> > >> Just a thought for future ivy releases... > >> > > > > > > > > -- > > Archie L. Cobbs > > > -- Archie L. Cobbs
