Re: gEDA-bug: [Bug 700333] Re: Local configuration should be parsed, not evaluated

[Peter TB Brett <700333@xxxxxxxxxxxxxxxxxx>]

On Thursday 13 January 2011 19:59:20 you wrote:
> Spec looks ok - I guess you wanted it to map nicely to GKeyFile or similar
> "ini" file structure. How about Scheme hooks? s-expr evaluation would be
> difficult here, and config file would accommodate this type of data. Maybe
> a config value with list of extra Scheme files to load - it would have to
> be forbidden/ignored in the "per project" configuration context.

That's correct; my current plan is to use GKeyFile as the storage layer. But 
I'd quite like to hide the underlying implementation from the API user, so 
that if it comes up towards 1.8.0 and we realise that GKeyFile doesn't cut the 
mustard then we only have to change libgeda. ;-)

For per-project Scheme code, my current plan was to allow all config files to 
specify plugins to load, but to only allow setting the plugin search path in 
user and system config files.  I.e. you should have to get the user to install 
your nasty Scheme code in an approved plugins directory *and* get them to load 
your dodgy gEDA files.  Nothing in a config file should *ever* be evaluated.

Once the API spec is done we need to go through *all* the existing "things 
people can do in rc files" and work out whether they can be migrated directly, 
or whether other changes are needed to facilitate the change (for example, 
component libraries, colour maps and print paper sizes all need to have their 
underlying mechanisms looked at & possible altered).  That'll give us a check 
on whether the new config API can actually fulfil all of the roles that it 
needs to fill, and, as a side benefit, will provide the information we need to 
implement a migration tool to help users upgrade.

It's going to be pretty dull work, unfortunately, but I think it's important 
to make sure that if we're going to rip out the existing configuration system 
we replace it with something that's going to do the job and do it well!

-- 
You received this bug notification because you are a member of gEDA Bug
Team, which is a direct subscriber.
https://bugs.launchpad.net/bugs/700333

Title:
  Local configuration should be parsed, not evaluated

Status in GPL Electronic Design Automation tools:
  Confirmed

Bug description:
   affects geda
   security yes
   private no
   done

  Currently, per-directory rc files are evaluated as Scheme scripts.  This
  is an arbitrary code execution security risk.  For example, users (and
  in particular *new* users) are likely to want to download and open
  designs from elsewhere, and almost all designs include a 'gafrc' file to
  set up per-project component libraries.

  Instead of being evaluated, local configuration files should be parsed.
  This way it would be much harder to craft malicious designs.

  An example of a parsable configuration file format is the resource file
  format used by PCB.

  In addition, a tool should be developed for migrating existing designs'
  rc files to the any configuration system.




_______________________________________________
geda-bug mailing list
geda-bug@xxxxxxxxxxxxxx
http://www.seul.org/cgi-bin/mailman/listinfo/geda-bug