[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

gEDA-bug: [Bug 700333] Re: Local configuration should be parsed, not evaluated

To: geda-bug@xxxxxxxx
Subject: gEDA-bug: [Bug 700333] Re: Local configuration should be parsed, not evaluated
From: Krzysztof KoÅciuszkiewicz <700333@xxxxxxxxxxxxxxxxxx>
Date: Sat, 15 Jan 2011 10:35:57 -0000
Delivered-to: archiver@xxxxxxxx
Delivered-to: geda-bug@xxxxxxxx
Delivery-date: Sat, 15 Jan 2011 05:45:56 -0500
List-archive: <http://www.seul.org/pipermail/geda-bug>
List-help: <mailto:geda-bug-request@moria.seul.org?subject=help>
List-id: gEDA bug mailing list <geda-bug.moria.seul.org>
List-post: <mailto:geda-bug@moria.seul.org>
List-subscribe: <http://www.seul.org/cgi-bin/mailman/listinfo/geda-bug>, <mailto:geda-bug-request@moria.seul.org?subject=subscribe>
List-unsubscribe: <http://www.seul.org/cgi-bin/mailman/options/geda-bug>, <mailto:geda-bug-request@moria.seul.org?subject=unsubscribe>
References: <m3ei8n5u4c.fsf@xxxxxxxxxxxxxxxxxxxxxxxx>
Reply-to: Bug 700333 <700333@xxxxxxxxxxxxxxxxxx>, gEDA bug mailing list <geda-bug@xxxxxxxxxxxxxx>
Sender: geda-bug-bounces@xxxxxxxxxxxxxx

I think relocation should be supported for the sake of portability with win32, where location of files is selectable during installation.
Maybe an environment variable will do? Not sure if win32 users would know the meaning XDG_CONFIG_DIRS.

-- 
You received this bug notification because you are a member of gEDA Bug
Team, which is a direct subscriber.
https://bugs.launchpad.net/bugs/700333

Title:
  Local configuration should be parsed, not evaluated

Status in GPL Electronic Design Automation tools:
  Triaged

Bug description:
   affects geda
   security yes
   private no
   done

  Currently, per-directory rc files are evaluated as Scheme scripts.  This
  is an arbitrary code execution security risk.  For example, users (and
  in particular *new* users) are likely to want to download and open
  designs from elsewhere, and almost all designs include a 'gafrc' file to
  set up per-project component libraries.

  Instead of being evaluated, local configuration files should be parsed.
  This way it would be much harder to craft malicious designs.

  An example of a parsable configuration file format is the resource file
  format used by PCB.

  In addition, a tool should be developed for migrating existing designs'
  rc files to the any configuration system.




_______________________________________________
geda-bug mailing list
geda-bug@xxxxxxxxxxxxxx
http://www.seul.org/cgi-bin/mailman/listinfo/geda-bug

References:
- gEDA-bug: [Bug 700333] [NEW] Local configuration should be parsed, not evaluated
  - From: Peter TB Brett

Prev by Author: gEDA-bug: [Bug 698854] Re: Rotation
Next by Author: gEDA-bug: [Bug 698854] Re: Allow arbitrary rotation of components
Next by thread: gEDA-bug: [ geda-Patches-3149702 ] Fix warning on moving over menu-item without action
Index(es):
- Author
- Thread