Re: [GHC] #6017: Reading ./.ghci files raises security issues
#6017: Reading ./.ghci files raises security issues -+-- Reporter: nomeata | Owner: pminten Type: task | Status: patch Priority: high | Milestone: 7.8.1 Component: GHCi | Version: 7.4.1 Keywords:| Os: Unknown/Multiple Architecture: Unknown/Multiple | Failure: Other Difficulty: Unknown |Testcase: Blockedby:|Blocking: Related:| -+-- Comment(by simonmar): Let's not go overboard here. Even if we do a whitelist, someone will point out that we should be adding hashes of the .ghci file to the whitelist and failing if the hash doesn't match. If people think that this is really a security problem (and I'm not convinced it is, e.g. `gdb` reads `.gdbinit` unconditionally), then we can just switch the default to not read `.ghci` files in the current directory, and add a flag to enable it (`-ignore-dot-ghci` ignores all, but we want a way to just ignore the one in the current directory). If you want to read a specific `.ghci` by default then there are lots of ways to do it: add some code to your `~/.ghci` to implement an explicit whitelist, or invoke ghci via a script or a shell alias. -- Ticket URL: http://hackage.haskell.org/trac/ghc/ticket/6017#comment:8 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler ___ Glasgow-haskell-bugs mailing list Glasgow-haskell-bugs@haskell.org http://www.haskell.org/mailman/listinfo/glasgow-haskell-bugs
Re: [GHC] #6017: Reading ./.ghci files raises security issues
#6017: Reading ./.ghci files raises security issues -+-- Reporter: nomeata | Owner: pminten Type: task | Status: patch Priority: high | Milestone: 7.8.1 Component: GHCi | Version: 7.4.1 Keywords:| Os: Unknown/Multiple Architecture: Unknown/Multiple | Failure: Other Difficulty: Unknown |Testcase: Blockedby:|Blocking: Related:| -+-- Comment(by pminten): There is also the question what you want to check with the blacklist/whitelist mechanism. The .ghci files can be divided into three categories: explicitely passed (-ghci-script), standard location (~/.ghci, ~/.ghc/ghci.conf) and current directory. Also .ghci files can source other .ghci files using :script (with arbitrary names, don't need to be called .ghci obviously). The patch simply says that if only files in the current directory are a threat and that if the user approves such a file the trust in that file cascades to whatever files are sourced. With the patch the /foo/bar/ghci-config in your example wouldn't need to be whitelisted because the only way for it to be loaded is through -ghci- script (in which case it would be trusted) or by another file (in which case it would inherit the trustedness). Having a way to configure the default blacklist approach is a good idea but if the blacklist is expanded as you seem to suggest a single knob probably won't suffice. There's a very good chance the user doesn't want the blacklist mechanism to ask for files (s)he explicitly requests to be loaded. So you'd get at least two settings. But you may also want to have a knob for the files loaded by .ghci files, the user may not appreciate being asked for every included file. There would be at least 4 knobs. But I suspect all but one would have a default that nobody changes. For files the user explicitly passes and files included by those the default would be allow. For files included by not automatically trusted files the default would be to allow them if the including file is allowed (if that file can be nasty you already have the security problem). So only the not automatically trusted files (the .ghci files) in the current directory would need a knob. One could imagine that files on a blacklist are rejected even if the user asks for them, this could be a knob too. With this reasoning you'd get at most 2 knobs and a lot of hardcoded behaviour. Of course if there are situations where you'd want something different than the defaults indicated above the reasoning doesn't apply. -- Ticket URL: http://hackage.haskell.org/trac/ghc/ticket/6017#comment:7 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler ___ Glasgow-haskell-bugs mailing list Glasgow-haskell-bugs@haskell.org http://www.haskell.org/mailman/listinfo/glasgow-haskell-bugs
Re: [GHC] #6017: Reading ./.ghci files raises security issues
#6017: Reading ./.ghci files raises security issues -+-- Reporter: nomeata | Owner: pminten Type: task | Status: patch Priority: high | Milestone: 7.8.1 Component: GHCi | Version: 7.4.1 Keywords:| Os: Unknown/Multiple Architecture: Unknown/Multiple | Failure: Other Difficulty: Unknown |Testcase: Blockedby:|Blocking: Related:| -+-- Comment(by igloo): Hmm, I think there are 5 things we might want to do with a .ghci file: 1. Silently ignore it 2. Silently execute it 3. Warn the user that we are ignoring it 4. Warn the user that we are executing it 5. Ask the user what to do although I'm not sure (4) is useful. Presumably ghci -v would tell you anyway. Perhaps we should have a `~/.ghc/ghci.config` and `~/.ghc/ghc-e.config` in which you can say one of {{{ evaluate-dot-ghci: no evaluate-dot-ghci: yes evaluate-dot-ghci: warn-no evaluate-dot-ghci: warn-yes evaluate-dot-ghci: ask }}} and likewise a way to white/blacklist particular paths in those files? Default should probably be warn-no, and perhaps when creating the file initially we should by default add an entry whitelisting ~/.ghci? If we have a way to whitelist filenames, it would be straightforward to allow filenames other than .ghci to be whitelisted, so for example you could whitelist /foo/bar/ghci-config if you wanted to have ghci commands with a non-dotfile filename in a project. -- Ticket URL: http://hackage.haskell.org/trac/ghc/ticket/6017#comment:6 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler ___ Glasgow-haskell-bugs mailing list Glasgow-haskell-bugs@haskell.org http://www.haskell.org/mailman/listinfo/glasgow-haskell-bugs
Re: [GHC] #6017: Reading ./.ghci files raises security issues
#6017: Reading ./.ghci files raises security issues -+-- Reporter: nomeata | Owner: pminten Type: task | Status: new Priority: high | Milestone: 7.8.1 Component: GHCi | Version: 7.4.1 Keywords:| Os: Unknown/Multiple Architecture: Unknown/Multiple | Failure: Other Difficulty: Unknown |Testcase: Blockedby:|Blocking: Related:| -+-- Changes (by pminten): * owner: = pminten -- Ticket URL: http://hackage.haskell.org/trac/ghc/ticket/6017#comment:2 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler ___ Glasgow-haskell-bugs mailing list Glasgow-haskell-bugs@haskell.org http://www.haskell.org/mailman/listinfo/glasgow-haskell-bugs
Re: [GHC] #6017: Reading ./.ghci files raises security issues
#6017: Reading ./.ghci files raises security issues -+-- Reporter: nomeata | Owner: pminten Type: task | Status: patch Priority: high | Milestone: 7.8.1 Component: GHCi | Version: 7.4.1 Keywords:| Os: Unknown/Multiple Architecture: Unknown/Multiple | Failure: Other Difficulty: Unknown |Testcase: Blockedby:|Blocking: Related:| -+-- Changes (by pminten): * status: new = patch Comment: Here's a patch that adds a whitelist/blacklist mechanism. When ghci encounters a .ghci file in the current directory and the current directory is not the home dir (which is trusted) and the file does not match one of the -ghci-script arguments ghci will look in ~/.ghc/ghci_blacklist and then in ~/.ghc/ghci_whitelist. If it finds the .ghci file's path there it will respectively not load and load the file. If the .ghci file is in neither list the user will be asked. If ghc -e is used no messages will be printed and no questions asked. Unknown .ghci files are treated as blacklisted. I don't have a testsuite update for this patch, wouldn't know how to test this automatically. -- Ticket URL: http://hackage.haskell.org/trac/ghc/ticket/6017#comment:3 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler ___ Glasgow-haskell-bugs mailing list Glasgow-haskell-bugs@haskell.org http://www.haskell.org/mailman/listinfo/glasgow-haskell-bugs
Re: [GHC] #6017: Reading ./.ghci files raises security issues
#6017: Reading ./.ghci files raises security issues -+-- Reporter: nomeata | Owner: pminten Type: task | Status: patch Priority: high | Milestone: 7.8.1 Component: GHCi | Version: 7.4.1 Keywords:| Os: Unknown/Multiple Architecture: Unknown/Multiple | Failure: Other Difficulty: Unknown |Testcase: Blockedby:|Blocking: Related:| -+-- Changes (by pminten): * cc: peter.minten@… (added) -- Ticket URL: http://hackage.haskell.org/trac/ghc/ticket/6017#comment:4 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler ___ Glasgow-haskell-bugs mailing list Glasgow-haskell-bugs@haskell.org http://www.haskell.org/mailman/listinfo/glasgow-haskell-bugs
Re: [GHC] #6017: Reading ./.ghci files raises security issues
#6017: Reading ./.ghci files raises security issues -+-- Reporter: nomeata | Owner: pminten Type: task | Status: patch Priority: high | Milestone: 7.8.1 Component: GHCi | Version: 7.4.1 Keywords:| Os: Unknown/Multiple Architecture: Unknown/Multiple | Failure: Other Difficulty: Unknown |Testcase: Blockedby:|Blocking: Related:| -+-- Comment(by nomeata): Thanks for taking this issue serious; the approach you describe sounds sane. -- Ticket URL: http://hackage.haskell.org/trac/ghc/ticket/6017#comment:5 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler ___ Glasgow-haskell-bugs mailing list Glasgow-haskell-bugs@haskell.org http://www.haskell.org/mailman/listinfo/glasgow-haskell-bugs
Re: [GHC] #6017: Reading ./.ghci files raises security issues
#6017: Reading ./.ghci files raises security issues -+-- Reporter: nomeata | Owner: Type: task | Status: new Priority: high | Milestone: 7.8.1 Component: GHCi | Version: 7.4.1 Keywords:| Os: Unknown/Multiple Architecture: Unknown/Multiple | Failure: Other Difficulty: Unknown |Testcase: Blockedby:|Blocking: Related:| -+-- Changes (by igloo): * priority: normal = high * difficulty: = Unknown * milestone: = 7.8.1 -- Ticket URL: http://hackage.haskell.org/trac/ghc/ticket/6017#comment:1 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler ___ Glasgow-haskell-bugs mailing list Glasgow-haskell-bugs@haskell.org http://www.haskell.org/mailman/listinfo/glasgow-haskell-bugs