[ww-bugs] Bug 3411: Bug due to failure to follow ../parserOrientation.pl link
bugzilla-daemon at webwork.maa.org
bugzilla-daemon at webwork.maa.org
Thu Sep 3 15:55:18 EDT 2015
http://bugs.webwork.maa.org/show_bug.cgi?id=3411
Davide P. Cervone <dpvc at union.edu> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dpvc at union.edu
--- Comment #1 from Davide P. Cervone <dpvc at union.edu> 2015-09-03 15:55:17 ---
My own feeling is that disabling "../" entirely is too aggressive. Perl
undoubtedly has tools for normalizing paths so that you can check if the file
is in the legal scope of the course. And if not, it is not that hard to remove
a directory followed by "/.." by hand and normalize yourself. In fact the
FileManager already does this, as I recall; perhaps not perfectly, but I would
hate to through the baby out with the bathwater. These kinds of overprotective
measures seem to do that.
When I first started using WeBWorK, I pointed out a number of ways in which PG
could be used to subvert the system, and was told that the safe compartment and
such were not trying to prevent evil authors from breaking into the system, but
rather trying to protect inexperienced or uninformed authors from hurting
themselves. I understand that the course.conf restriction is of this type.
But I don't see a reason to restrict a legitimate use case for no real gain in
security.
--
Configure bugmail: http://bugs.webwork.maa.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the webwork-bugs
mailing list