diff options
| author | hallgren <hallgren@chalmers.se> | 2011-03-03 15:42:57 +0000 |
|---|---|---|
| committer | hallgren <hallgren@chalmers.se> | 2011-03-03 15:42:57 +0000 |
| commit | 2c1feccd1736c5535251bc5a7f484b5f2c35b9fc (patch) | |
| tree | 713b711c03fc573dc35e5e7671658a0179adcd19 /src/compiler/GFI.hs | |
| parent | b190d30fad3dba5ff63c4bdeeb089916b9c1e66f (diff) | |
GF shell restricted mode
By setting the environment variable GF_RESTRICTED before starting GF, the shell
will be run in restricted mode. This will prevent the GF shell from starting
arbitrary system commands (most uses of System.Cmd.system are blocked) and
writing arbitrary files (most commands that use writeFile et al are blocked).
Restricted mode is intended minimize the potential security risks involved
in allowing public access to the GF shell over the internet. It should be used
in conjuction with system level protection mechanisms (e.g. file permissions)
to make sure that a publicly acessible GF shell does not give access to parts
of the system that should not be publicly accessible.
Diffstat (limited to 'src/compiler/GFI.hs')
| -rw-r--r-- | src/compiler/GFI.hs | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/src/compiler/GFI.hs b/src/compiler/GFI.hs index a7ae2d07c..1041b9c5d 100644 --- a/src/compiler/GFI.hs +++ b/src/compiler/GFI.hs @@ -36,7 +36,6 @@ import qualified Data.Map as Map import qualified Data.ByteString.Char8 as BS import qualified Text.ParserCombinators.ReadP as RP import System.IO -import System.Cmd import System.CPUTime import System.Directory import Control.Exception @@ -107,7 +106,7 @@ loop opts gfenv0 = do r <- runInterruptibly $ case pwords of "!":ws -> do - system $ unwords ws + restrictedSystem $ unwords ws loopNewCPU gfenv "cc":ws -> do let @@ -154,7 +153,7 @@ loop opts gfenv0 = do let stop = case ws of ('-':'o':'n':'l':'y':'=':fs):_ -> Just $ chunks ',' fs _ -> Nothing - writeFile "_gfdepgraph.dot" (depGraph stop sgr) + restricted $ writeFile "_gfdepgraph.dot" (depGraph stop sgr) putStrLn "wrote graph in file _gfdepgraph.dot" loopNewCPU gfenv "eh":w:_ -> do @@ -220,9 +219,11 @@ loop opts gfenv0 = do interpretCommandLine env s0 loopNewCPU gfenv -- gfenv' <- return $ either (const gfenv) id r - gfenv' <- either (\e -> (print e >> return gfenv)) return r + gfenv' <- either (\e -> (printException e >> return gfenv)) return r loop opts gfenv' +printException e = maybe (print e) (putStrLn . ioErrorText) (fromException e) + checkComputeTerm sgr t = do mo <- maybe (Bad "no source grammar in scope") return $ greatestResource sgr ((t,_),_) <- runCheck $ do t <- renameSourceTerm sgr mo t |