[ww-bugs] Bug 3411: New: Bug due to failure to follow ../parserOrientation.pl link

bugzilla-daemon at webwork.maa.org bugzilla-daemon at webwork.maa.org
Thu Sep 3 14:59:46 EDT 2015 

http://bugs.webwork.maa.org/show_bug.cgi?id=3411

           Summary: Bug due to failure to follow ../parserOrientation.pl
                    link
           Product: Problem libraries
           Version: unspecified
          Platform: PC
               URL: /opt/webwork/courses/fall15mth208/templates/setOrienta
                    tion/prob14/prob14.pg_with_problemSeed=1963
        OS/Version: Mac OS
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Library (OPL)
        AssignedTo: goehle at gmail.com
        ReportedBy: gage at math.rochester.edu
        Web browser ---
           version:


Problem 14 of the standard Orientation set.  There are some other examples in
the set as well.  

The top of the problem is 

loadMacros(
  "PGstandard.pl",
  "PGchoicemacros.pl",
  "PGgraphmacros.pl",
  "PGunion.pl",
  "imageChoice.pl",
  "../parserOrientation.pl",
  "PGcourse.pl"
);



and the location of the problem is 
/setOrientation/prob14/prob14.pg

This is a common address for problems that contain pictures (enclose the .pg
file and the .gif files in a directory with the name as the problem.  In this
case the location of parserOrientation is in the setOrientation directory.

It's been felt that it was a desirable feature to be able to put a macro file
that was specialized to just one problem or one group of problems and the
Orientation set shows a good reason to have that available.  On the other hand
this construction has not yet been used a lot and there are a few work arounds. 

This problem is arising because to close a safety loophole we have disallowed
the use of ../ in paths.  (Also for security reasons we have blocked access to
course.conf and simple.conf for most instructors.  While we don't know that
these "features" have been used for destructive hacks we have thought of
(untested)  ways that an instructor or ta with access to the file manager could
take down the entire computer. 
Thoughts about the best way to handle this?

-- 
Configure bugmail: http://bugs.webwork.maa.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the webwork-bugs mailing list