[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

gEDA-bug: [Bug 700333] Re: Local configuration should be parsed, not evaluated

To: geda-bug@xxxxxxxx
Subject: gEDA-bug: [Bug 700333] Re: Local configuration should be parsed, not evaluated
From: Peter TB Brett <700333@xxxxxxxxxxxxxxxxxx>
Date: Thu, 13 Jan 2011 23:09:03 -0000
Delivered-to: archiver@xxxxxxxx
Delivered-to: geda-bug@xxxxxxxx
Delivery-date: Thu, 13 Jan 2011 18:15:54 -0500
List-archive: <http://www.seul.org/pipermail/geda-bug>
List-help: <mailto:geda-bug-request@moria.seul.org?subject=help>
List-id: gEDA bug mailing list <geda-bug.moria.seul.org>
List-post: <mailto:geda-bug@moria.seul.org>
List-subscribe: <http://www.seul.org/cgi-bin/mailman/listinfo/geda-bug>, <mailto:geda-bug-request@moria.seul.org?subject=subscribe>
List-unsubscribe: <http://www.seul.org/cgi-bin/mailman/options/geda-bug>, <mailto:geda-bug-request@moria.seul.org?subject=unsubscribe>
References: <m3ei8n5u4c.fsf@xxxxxxxxxxxxxxxxxxxxxxxx>
Reply-to: Bug 700333 <700333@xxxxxxxxxxxxxxxxxx>, gEDA bug mailing list <geda-bug@xxxxxxxxxxxxxx>
Sender: geda-bug-bounces@xxxxxxxxxxxxxx

Just updated the API proposal (http://goo.gl/Lcbna) with some exciting
new info on freezing and thawing of configuration events (suggested by
Peter C), and a beautiful ASCII-art diagram of how configuration events
propagate.  Still left to do: actual API for registering configuration
event handlers; details of handler calling convention; boring details of
error codes.

Also, question for your consideration.  Where should we search for
system configuration?

- Should we just look in ${sysconfdir}?
- If so, should we only ever use the compile-time value, or should we support relocation?
- If we support relocation, how do we do it?
- Should we use XDG_CONFIG_DIRS?

P.S. sorry about the word-wrapping fail above -- Launchpad seems to
disagree with the wrap column of my e-mails.

-- 
You received this bug notification because you are a member of gEDA Bug
Team, which is a direct subscriber.
https://bugs.launchpad.net/bugs/700333

Title:
  Local configuration should be parsed, not evaluated

Status in GPL Electronic Design Automation tools:
  Triaged

Bug description:
   affects geda
   security yes
   private no
   done

  Currently, per-directory rc files are evaluated as Scheme scripts.  This
  is an arbitrary code execution security risk.  For example, users (and
  in particular *new* users) are likely to want to download and open
  designs from elsewhere, and almost all designs include a 'gafrc' file to
  set up per-project component libraries.

  Instead of being evaluated, local configuration files should be parsed.
  This way it would be much harder to craft malicious designs.

  An example of a parsable configuration file format is the resource file
  format used by PCB.

  In addition, a tool should be developed for migrating existing designs'
  rc files to the any configuration system.




_______________________________________________
geda-bug mailing list
geda-bug@xxxxxxxxxxxxxx
http://www.seul.org/cgi-bin/mailman/listinfo/geda-bug

References:
- gEDA-bug: [Bug 700333] [NEW] Local configuration should be parsed, not evaluated
  - From: Peter TB Brett

Prev by Author: gEDA-bug: [Bug 699852] Re: Better keybindings for gschem "Select All" and "Deselect"
Next by Author: gEDA-bug: [Bug 702752] Re: gEDA netlisting for NGspice Code Models
Next by thread: gEDA-bug: [ geda-Patches-3149702 ] Fix warning on moving over menu-item without action
Index(es):
- Author
- Thread