Re: Feasibility of system() plugin?

From: Jody Goldberg <jody gnome org>
To: Leigh Smith <leigh tomandandy com>
Cc: gnumeric-list gnome org
Subject: Re: Feasibility of system() plugin?
Date: Sun, 24 Feb 2002 15:39:06 -0500

On Sun, Feb 24, 2002 at 02:53:21PM -0500, Leigh Smith wrote:

Ok, the points regarding security are well taken and I didn't consider that 
issue, but I wonder, doesn't the Python plugin have exactly the same 
security issue? That is, it would be possible to substitute a malicious 
python program instead of a malicious executable binary.


There is a key difference.  Plugins are not packaged with the
document.  A spreadsheet does not have the ability to install code
to change things outside its sandbox.  The python plugin provides
the ability to write a function in python, it does not offer the
ability to put python code into the spreadsheet.

We can not protect a user from installing an insecure plugin, but we
can promise that our plugins and our program will attempt to be
secure.  Hence none of the prepackaged plugins will provide a
'system' facility.

Follow-Ups:
- Re: Feasibility of system() plugin?
  - From: Leigh Smith
- Re: [Gnumeric] Re: Feasibility of system() plugin?
  - From: C. Scott Ananian

References:
- Re: Feasibility of system() plugin?
  - From: Leigh Smith

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]