Re: Gnumeric/Guile/Python

From: Miguel de Icaza <miguel nuclecu unam mx>
To: dmiller ilogic com au
CC: goldin flight uchicago edu, gnome-list gnome org
Subject: Re: Gnumeric/Guile/Python
Date: Tue, 25 May 1999 20:40:42 -0500


> > No, there is no way to do this.  And for now I have no plans on doing
> > this.  Until we fully understand the implications of potential viruses 
> > transmited by this medium, I do think this is not a good idea.
> 
> If guile or python code is limited to changing the current sheet only
> and not modifying files or templates then there is no oppurtunity 
> for it to spread.

And how are you going to do this?  Once you are in Python land, there
is no way to block any access to the file system or the network.
Unless Python/Perl include some sort of sandbox setup.

> It is Microsoft's broken security model that causes secruity 
> nightmares such as Melissa, not the concept to embeddable code
> itself.

That is not the problem.  

You are missunderstanding the issues.

If I can put arbitrary code in Gnumeric, how would you stop this
attack:

	=perl("unlink /etc/passwd;");


Miguel.

Follow-Ups:
- Re: Gnumeric/Guile/Python
  - From: Tuomas J. Lukka
- Re: Gnumeric/Guile/Python
  - From: Bart Schuller

References:
- Re: Gnumeric/Guile/Python
  - From: Damien Miller

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]