[ww-bugs] Bug 3411: Bug due to failure to follow ../parserOrientation.pl link
bugzilla-daemon at webwork.maa.org
bugzilla-daemon at webwork.maa.org
Thu Sep 3 16:30:43 EDT 2015
http://bugs.webwork.maa.org/show_bug.cgi?id=3411
--- Comment #3 from Davide P. Cervone <dpvc at union.edu> 2015-09-03 16:30:42 ---
> The issue at heart here is the ability for the PG system to read and print system files.
I agree. But (and I think we agree on this), disabling ".." is not the way to
do that. Aside from it preventing legitimate uses like the one cited here, it
also doesn't actually prevent access to system files (there are still other,
subtler ways to do that). And in any case, loadMacros() wouldn't allow you to
read or print the contents of system files, since it only loads .pg files, and
they are *run* as PG code, not printed or accessible in other ways (except
possibly the first line if it is reported in an error message about the macro
file not loading, but I don't remember whether macro file errors are actually
shown or not).
So, as I said, restricting the use of ".." in loadMacros(), the subject of this
bug report, prevents legitimate use cases for no actual gain in security. I
was not saying that general file access should not be more restrictive, only
that loadMacros() doesn't pose the type of threat that you are talking about.
But even for general access, I think ".." can be treated more intelligently (as
I think you agree).
--
Configure bugmail: http://bugs.webwork.maa.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the webwork-bugs
mailing list