I still think you're crazy, but I now understand what you're trying to do. I think what you want is likely something we'd want to add a hook for at the framework level (and actually have discussed this before... each request running in its own process). You'd probably want to run with thin (or in a non-threaded environment) and make sure nginx was set up to redispatch any requests that came back from a disconnected backend. -- Yehuda
On Wed, Jan 28, 2009 at 2:33 PM, Rich Morin <[email protected]> wrote: > > At 11:35 -0600 1/28/09, Yehuda Katz wrote: > > One option is to exit(128) in a middleware or something. > > I was hoping to do this in the context of Merb, but if a > middleware is a cleaner solution, I'm OK with that. > > > > However, you're in a much bigger pickle than you think. > > If the user can run arbitrary code, what's stopping them > > from eval("FileUtils.rm_rm('/')") > > Several things: > > * The app will be running as an unprivileged user, in a > chrooted jail (eg, Jailkit), within a substantially > locked- and stripped-down instance of Debian Linux. > > * The Linux instance will be running inside a Virtual > Machine (eg, VirtualBox), with no access to the host > file system. There will also be precautions taken to > keep the VM from sending unsolicited packets to any > unauthorized IP/port combinations. > > So, things aren't quite as perilous as they might be. See: > > http://cfcl.com/twiki/bin/view/Projects/Ontiki/Architecture > http://cfcl.com/twiki/bin/view/Projects/Ontiki/Security > > > At 10:14 -0800 1/28/09, Matt Aimonetti wrote: > > Rich, I'm with Yehuda on this one, you really shouldn't let > > users run arbitrary code. I'd suggest you use one of the > > available tools such as liquid or kwartz, otherwise, it's > > a recipe for disaster. > > > > Also, the run_later solution might be tricky, since the > > thread might start before the request is done + run_later > > doesn't on passenger... anyways, as I said, you should use > > a safe template language. > > I looked at Liquid, but there are a couple of problems with > it, for my purposes. First, it's not really Ruby, so the > syntax is going to present a new learning curve. Also, I > don't want to get into "wrapping" every call that one of my > users might want to use (and worrying about the possibility > for each call to do damage). That way lies madness. > > I haven't studied Kwartz much, but it seems to have a very > similar set of problems. The most intriguing possibility > is Why's Sandbox, because it's actually Ruby, but it still > puts me into trench warfare against problematic code. So, > I think I'll pursue this approach for the moment... > > -r > -- > http://www.cfcl.com/rdm Rich Morin > http://www.cfcl.com/rdm/resume [email protected] > http://www.cfcl.com/rdm/weblog +1 650-873-7841 > > Technical editing and writing, programming, and web development > > > > -- Yehuda Katz Developer | Engine Yard (ph) 718.877.1325 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "merb" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/merb?hl=en -~----------~----~----~----~------~----~------~--~---
