Hi, Am Samstag, den 10.09.2011, 19:34 +0200 schrieb Erik Hesselink: > On Sat, Sep 10, 2011 at 18:51, Joachim Breitner > <m...@joachim-breitner.de> wrote: > > Am Samstag, den 10.09.2011, 11:26 +0200 schrieb Erik Hesselink: > >> Did you know you can also put a .ghci file in your project dir, and if > >> you start ghci from that dir, it will also load that file? I think > >> that allows you to replicate some of the functionality of this tool, > >> since it allows per project ghci options. > > > > is this well known and documented enough? It seems to me that most > > people would not expect that running "ghci" in a directory can cause > > arbitrary commands to be executed. This could be a security issue, e.g. > > running ghci in a just downloaded software package with a rouge .ghci > > file... but I am not sure what can or should be done about it. > > Running ghci runs template haskell, which can already run arbitrary > code. Not that that fact makes this more secure, but if you don't > trust the Haskell packages you're installing, there are larger > security issues than .ghci files.
yes, but this requires actively loading a file. Executing arbitrary commads when someone starts ghci in a rouge folder (consider an examiner on a multi-user machine at a university) is of a different quality. Especially as the file is hidden – TH code can easily be checked for before. Also it affects invocations "ghc -e", which conceivably could be used in aliases for some action unrelated to running a ghci session, as in http://www.joachim-breitner.de/blog/archives/156-Haskell-on-the-Command-Line.html Maybe the file shouldn’t be hidden, this would give some protection. Alternatively, ghci could keep a white-list of files somewhere ~/.ghci and ask if it should execute a .ghci file that has not been encountered before. I just noticed that it will not read files in directories not owned by you and warn you about it (e.g. in /tmp), which is a good start. But this does not help against files in packaged repositories. Greetings, Joachim -- Joachim "nomeata" Breitner m...@joachim-breitner.de | nome...@debian.org | GPG: 0x4743206C xmpp: nome...@joachim-breitner.de | http://www.joachim-breitner.de/
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
