Thanks. Where all of this I'd implemented ? Le 4 nov. 2013 15:20, "William Stein" <[email protected]> a écrit :
> On Mon, Nov 4, 2013 at 6:04 AM, Christophe Bal <[email protected]> > wrote: > > Indeed there are small security problems and big ones. The use of eval or > > exec can cause real big problems. I'll try to show that in private. Not > > here... I'm not sure to do such a hack but if the actual version uses > exec > > or eval, it would be possible. > > > > My remark is just to help and not to criticize freely. Sorry for my > English > > because this is not my natural language. > > > > Fortunately, in the context of https://cloud.sagemath.com there are > absolutely no security issues associated with using exec, eval, etc. > This is because all relevant Python code is run in an isolated virtual > machine, in which the user is explicitly given -- by the security > model -- full shell access (in that VM). That's made clear in this > case, since there is literally a terminal in cloud.sagemath. > > There are other contexts where exec/eval must be avoided, but this > isn't one of them, fortunately. > > William > > > > Best regards. > > Christophe > > > > Le 4 nov. 2013 09:46, "Nils Bruin" <[email protected]> a écrit : > > > >> On Sunday, November 3, 2013 11:19:45 PM UTC-8, projetmbc wrote: > >>> > >>> The use of AST is a pretty way BUT you must not use eval or exec > because > >>> of real security issues. It's easy to find explanations about that on > the > >>> web. > >> > >> > >> If you read these explanations, you'll see that by the same logic, you > >> shouldn't run a notebook server because of real security issues (and if > you > >> don't understand that, then you should indeed not run a notebook server > >> accessible to other people). The code that is input into a notebook is > >> already run via something equivalent to exec (try and think of another > way > >> of letting sage do what it does). The code proposed is not less secure > than > >> what we're already doing in the notebook. > >> > >> -- > >> You received this message because you are subscribed to the Google > Groups > >> "sage-support" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to [email protected]. > >> To post to this group, send email to [email protected]. > >> Visit this group at http://groups.google.com/group/sage-support. > >> For more options, visit https://groups.google.com/groups/opt_out. > > > > -- > > You received this message because you are subscribed to the Google Groups > > "sage-support" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > To post to this group, send email to [email protected]. > > Visit this group at http://groups.google.com/group/sage-support. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > -- > William Stein > Professor of Mathematics > University of Washington > http://wstein.org > > -- > You received this message because you are subscribed to the Google Groups > "sage-support" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/sage-support. > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "sage-support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/sage-support. For more options, visit https://groups.google.com/groups/opt_out.
