It's well known that Nasal has an io module with wrappers around
fopen(), fclose(), etc. An aircraft that you install, or even
scenery objects with embedded Nasal could in the past use this
to delete the contents of your whole home directory, or to append
commands to ~/.bashrc, and thus execute code next time you open
a shell!
FlightGear is still a rather familiar community, and no (truly :-)
evil subjects have yet been spotted. But as popularity grows, this
was becoming a very dangerous feature.
I have now committed two changes that (I hope) will prevent this
abuse. Please review and audit (especially Andy :-). Play with:
var file = io.open("/some/path", "w"); io.close(file);
and check the terminal for what fgfs thinks it's doing. There are
a lot of debug messages, most of which I will remove later.
The first change is to fg_init.cxx. It makes sure that crackers
can't use XML code like the following to sneak in a bad home directory
path, which, thanks to the 'write="n"', fgfs wouldn't have been able to
overwrite:
<sim>
<fg-home write="n">.</fg-home>
</sim>
/sim/fg-home should now be safe until the security code has read it.
You can now overrided it with environment variable FG_HOME, but no
add-ons can do that via XML or Nasal.
The second change is in $FG_ROOT/Nasal/io.nas. It replaces the original
io.open() with a version that checks for illegal write access to
non-authorized directories. (Reading is allowed everywhere. Use the
OS' permissions to prevent that.) The list of allowed directories is
hard coded in io.nas:
FG_HOME,
"/tmp/", "/var/tmp/",
"[A-Za-z]:TMP/", "[A-Za-z]:TEMP/",
"[A-Za-z]:/TMP/", "[A-Za-z]:/TEMP/",
Please tell me if this doesn't work for you, or if want more. You
can add "*" as first entry to allow writing everywhere. Are
TEMP/TMP dirs on MS Windows always in upper case letters?
m.
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Flightgear-devel mailing list
Flightgear-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/flightgear-devel
