[racket-dev] [plt] Push #27862: master branch updated
Can you demonstrate how to make this happen? Opening a file with these
contents, for example, doesn't install anything.
#lang racket
(require (planet planet/test-connection:1:0/test-connection))
As for automatically executing arbitrary code, I think you must mean
something more precise here. Perhaps "code that hasn't already been
explicitly installed"? If that's what you mean, then I think I'm also
missing how this happens.
Robby
On Wed, Nov 27, 2013 at 4:42 PM, Jay McCarthy <jay at racket-lang.org> wrote:
> There is an important change in this commit. Since we've created the
> release branch for 6.0, I think we should stop automatically
> installing and executing arbitrary code when people open files in
> DrRacket. Currently the error message suggests using "raco planet" but
> I think we need a bit of a GUI shim for other users.
>
> On Wed, Nov 27, 2013 at 3:40 PM, <jay at racket-lang.org> wrote:
> > jay has updated `master' from 033065f632 to 60ae164d05.
> > http://git.racket-lang.org/plt/033065f632..60ae164d05
> >
> > =====[ 6 Commits ]======================================================
> > Directory summary:
> > 57.6% pkgs/plt-services/meta/pkg-index/official/static/
> > 17.6% pkgs/plt-services/meta/pkg-index/official/
> > 22.0% racket/collects/planet/private/
> >
> > ~~~~~~~~~~
> >
> > 2413278 Jay McCarthy <jay at racket-lang.org> 2013-11-27 14:51
> > :
> > | moving delete button
> > :
> > M .../meta/pkg-index/official/static/index.html | 2 ++
> > M .../meta/pkg-index/official/static/index.js | 16
> +++++++++-------
> > M .../meta/pkg-index/official/static/style.css | 4 ++++
> >
> > ~~~~~~~~~~
> >
> > 113696c Jay McCarthy <jay at racket-lang.org> 2013-11-27 14:54
> > :
> > | edit on lose focus
> > :
> > M pkgs/plt-services/meta/pkg-index/official/static/index.js | 4 +++-
> >
> > ~~~~~~~~~~
> >
> > cf1755f Jay McCarthy <jay at racket-lang.org> 2013-11-27 15:19
> > :
> > | Remove arbitrary code execution exploit from Racket and DrRacket
> > |
> > | This is particularly bad with DrRacket's online syntax checking, which
> > | causes opening a file to download and executed aribtrary code.
> > :
> > M racket/collects/planet/private/resolver.rkt | 8 ++++----
> >
> > ~~~~~~~~~~
> >
> > 98df30c Jay McCarthy <jay at racket-lang.org> 2013-11-27 15:30
> > :
> > | deleting static s3 content properly
> > :
> > M pkgs/plt-services/meta/pkg-index/official/static.rkt | 11 ++++++++++-
> >
> > ~~~~~~~~~~
> >
> > 7b7a5ad Jay McCarthy <jay at racket-lang.org> 2013-11-27 15:33
> > :
> > | increase pkg test timeout
> > :
> > M pkgs/plt-services/meta/props | 2 +-
> >
> > ~~~~~~~~~~
> >
> > 60ae164 Jay McCarthy <jay at racket-lang.org> 2013-11-27 15:39
> > :
> > | Removing add tag button when not logged in re mflatt
> > :
> > M pkgs/plt-services/meta/pkg-index/official/static/index.js | 11
> +++++++++--
> > M .../plt-services/meta/pkg-index/official/static/index.html | 2 +-
> >
> > =====[ Overall Diff ]===================================================
> >
> > pkgs/plt-services/meta/pkg-index/official/static.rkt
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > --- OLD/pkgs/plt-services/meta/pkg-index/official/static.rkt
> > +++ NEW/pkgs/plt-services/meta/pkg-index/official/static.rkt
> > @@ -304,7 +304,16 @@
> > (cache "/pkgs" "pkgs")
> > (cache "/pkgs-all" "pkgs-all")
> > (for ([p (in-list pkg-list)])
> > - (cache (format "/pkg/~a" p) (format "pkg/~a" p))))
> > + (cache (format "/pkg/~a" p) (format "pkg/~a" p)))
> > +
> > + (let ()
> > + (define pkg-path (build-path static-path "pkg"))
> > + (for ([f (in-list (directory-list pkg-path))]
> > + #:unless (regexp-match #"json$" (path->string f))
> > + #:unless (member (path->string f) pkg-list))
> > + (with-handlers ([exn:fail:filesystem? void])
> > + (delete-file (build-path pkg-path f))
> > + (delete-file (build-path pkg-path (path-add-suffix f
> #".json")))))))
> >
> > (module+ main
> > (require racket/cmdline)
> >
> > pkgs/plt-services/meta/pkg-index/official/static/index.html
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > --- OLD/pkgs/plt-services/meta/pkg-index/official/static/index.html
> > +++ NEW/pkgs/plt-services/meta/pkg-index/official/static/index.html
> > @@ -54,12 +54,14 @@
> > <tr><td>Last Edit:</td><td><span
> id="pi_last_edit"></span></td></tr>
> > <tr><td>Description:</td><td><span
> id="pi_description"></span></td></tr>
> > <tr><td>Tags:</td><td><span id="pi_tags"></span></td></tr>
> > - <tr><td></td><td><input type="text" id="pi_add_tag_text"
> class="text ui-widget-content ui-corner-all" /><button
> id="pi_add_tag_button">Add Tag</button></td></tr>
> > + <tr id="pi_add_tag_row"><td></td><td><input type="text"
> id="pi_add_tag_text" class="text ui-widget-content ui-corner-all" /><button
> id="pi_add_tag_button">Add Tag</button></td></tr>
> > <tr id="pi_versions_row"><td>Versions Exceptions</td><td><table
> id="pi_versions"></table></td></tr>
> > <tr
> id="pi_add_version_row"><td></td><td><label>Version:</label> <input
> type="text" id="pi_add_version_text" class="text ui-widget-content
> ui-corner-all" /><br /><label>Source:</label> <input type="text"
> id="pi_add_version_source_text" class="text ui-widget-content
> ui-corner-all" /><button id="pi_add_version_button">Add Version
> Exception</button></td></tr>
> > <tr id="pi_dependencies_row"><td>Dependencies</td><td><span
> id="pi_dependencies"></span></td></tr>
> > <tr id="pi_conflicts_row"><td>Conflicts</td><td><span
> id="pi_conflicts"></span></td></tr>
> > <tr><td>Modules</td><td><span id="pi_modules"></span></td></tr>
> > + <tr id="pi_delete_row"><td colspan="2"><button
> id="pi_delete_button">Delete
> > + Package</button><br />(there is no undo!)</td></tr>
> > </table>
> >
> > <div id="pi_install" class="install">Install this package
> with:<br><br><tt>raco pkg install <span
> id="pi_name_inst"></span></tt><br><br>or, with the 'File|Install
> Package...' menu option in DrRacket.</div>
> >
> > pkgs/plt-services/meta/pkg-index/official/static/index.js
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > --- OLD/pkgs/plt-services/meta/pkg-index/official/static/index.js
> > +++ NEW/pkgs/plt-services/meta/pkg-index/official/static/index.js
> > @@ -8,6 +8,8 @@ function me () {
> > return localStorage['email']; }
> >
> > $( document ).ready(function() {
> > + var logged_in = false;
> > +
> > function jslink ( texts, clickf) {
> > return $('<a>', { href: "javascript:void(0)",
> > click: clickf } ).html(texts); }
> > @@ -43,7 +45,7 @@ $( document ).ready(function() {
> > update_package_on_list ( pkgi );
> > // console.log( pkgi );
> > change_hash( "[" + pkgi['name'] + "]" );
> > -
> > +
> > var mypkg_p = ($.inArray(me(), pkgi['authors'] ) != -1);
> >
> > function make_editbutton ( spot, initv, fun ) {
> > @@ -56,17 +58,20 @@ $( document ).ready(function() {
> > var it = $( "#" + spot +
> "_text" );
> > it.keypress( function (e) {
> > if (e.which == 13) {
> fun (it.val()); } } );
> > + it.focusout( function (e) {
> > + fun (it.val()); } );
> > it.val(initv).focus(); } )
> ); } }
> >
> > $( "#pi_name" ).text( pkgi['name'] );
> > make_editbutton ( "pi_name", pkgi['name'], submit_mod_name );
> > if ( mypkg_p ) {
> > - $( "#pi_name" ).append( $('<button>')
> > - .button({ icons: { primary:
> "ui-icon-trash" } })
> > - .click( function (e) {
> > - dynamic_pkgsend(
> "/jsonp/package/del", { } );
> > - $(pkgi['dom_obj']).remove();
> > -
> $("#package_info").dialog("close"); } ) ); }
> > + $( "#pi_delete_button" ).click( function (e) {
> > + dynamic_pkgsend( "/jsonp/package/del", { } );
> > + $(pkgi['dom_obj']).remove();
> > + $("#package_info").dialog("close"); } );
> > + $( "#pi_delete_row" ).show(); }
> > + else {
> > + $( "#pi_delete_row" ).hide(); }
> >
> > $( "#pi_name_inst" ).text( pkgi['name'] );
> > $( "#pi_ring" ).text( pkgi['ring'] );
> > @@ -104,6 +109,10 @@ $( document ).ready(function() {
> > " "]; }
> > else {
> > return [tag, " "]; } } ) ));
> > + if ( logged_in ) {
> > + $( "#pi_add_tag_row" ).show(); }
> > + else {
> > + $( "#pi_add_tag_row" ).hide(); }
> >
> > $( "#pi_versions" ).html("").append( $.map(
> Object.keys(pkgi['versions']).sort(), function ( v, vi ) {
> > var vo = pkgi['versions'][v];
> > @@ -494,8 +503,10 @@ $( document ).ready(function() {
> > $( "#login_code_row" ).hide();
> >
> > function menu_logout () {
> > + logged_in = false;
> > $("#logout").html( jslink( "login", function () { $( "#login"
> ).dialog( "open" ); } ) ); }
> > function menu_loggedin ( curate_p ) {
> > + logged_in = true;
> > $("#logout").html("")
> > .append( me(),
> > ( curate_p ? [ " (", jslink( "curator", function
> () {
> >
> > pkgs/plt-services/meta/pkg-index/official/static/style.css
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > --- OLD/pkgs/plt-services/meta/pkg-index/official/static/style.css
> > +++ NEW/pkgs/plt-services/meta/pkg-index/official/static/style.css
> > @@ -150,3 +150,7 @@ a.possible {
> > text-align: center;
> > color: red;
> > }
> > +
> > +tr#pi_delete_row td {
> > + text-align: center;
> > +}
> >
> > pkgs/plt-services/meta/props
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > --- OLD/pkgs/plt-services/meta/props
> > +++ NEW/pkgs/plt-services/meta/props
> > @@ -1289,7 +1289,7 @@ path/s is either such a string or a list of them.
> > "pkgs/racket-pkgs/racket-test/tests/openssl/basic.rkt" drdr:random #t
> > "pkgs/racket-pkgs/racket-test/tests/pkg" responsible (jay)
> drdr:command-line (mzc *)
> > "pkgs/racket-pkgs/racket-test/tests/pkg/test-pkgs" drdr:command-line #f
> > -"pkgs/racket-pkgs/racket-test/tests/pkg/test.rkt" drdr:command-line
> (raco "test" *) drdr:timeout 600
> > +"pkgs/racket-pkgs/racket-test/tests/pkg/test.rkt" drdr:command-line
> (raco "test" *) drdr:timeout 2400
> > "pkgs/racket-pkgs/racket-test/tests/racket" responsible (mflatt)
> > "pkgs/racket-pkgs/racket-test/tests/racket/all.rktl" drdr:command-line
> #f
> > "pkgs/racket-pkgs/racket-test/tests/racket/basic.rktl"
> drdr:command-line #f
> >
> > racket/collects/planet/private/resolver.rkt
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > --- OLD/racket/collects/planet/private/resolver.rkt
> > +++ NEW/racket/collects/planet/private/resolver.rkt
> > @@ -219,9 +219,9 @@ See the scribble documentation on the
> planet/resolver module.
> > (struct-out exn:fail:planet))
> >
> > ;; if #f, will not install packages and instead raise a
> exn:fail:install? error
> > -(define install? (make-parameter #t))
> > +(define install? (make-parameter #f))
> > ;; if #f, will not download packages and instead raise a
> exn:fail:install? error
> > -(define download? (make-parameter #t))
> > +(define download? (make-parameter #f))
> > (define-struct (exn:fail:planet exn:fail) ())
> >
> > ;; update doc index only once for a set of installs:
> > @@ -541,7 +541,7 @@ See the scribble documentation on the
> planet/resolver module.
> > (unless (download?)
> > (raise (make-exn:fail:planet
> > (format
> > - "PLaneT error: cannot download package ~s since the
> download? parameter is set to #f"
> > + "PLaneT error: cannot download package ~s without
> permission. Give permission with download? parameter or use 'raco planet
> install'"
> > (list (car (pkg-spec-path pkg)) (pkg-spec-name pkg)))
> > (current-continuation-marks))))
> > ((if (USE-HTTP-DOWNLOADS?) download-package/http
> download-package/planet)
> > @@ -577,7 +577,7 @@ See the scribble documentation on the
> planet/resolver module.
> > (unless (install?)
> > (raise (make-exn:fail:planet
> > (format
> > - "PLaneT error: cannot install package ~s since the
> install? parameter is set to #f"
> > + "PLaneT error: cannot install package ~s without
> permission. Give permission with download? parameter or use 'raco planet
> install'"
> > (list (car pkg-path) pkg-name maj min))
> > (current-continuation-marks))))
> > (define owner (car pkg-path))
>
> _________________________
> Racket Developers list:
> http://lists.racket-lang.org/dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.racket-lang.org/dev/archive/attachments/20131127/ad825b1a/attachment-0001.html>
![[logo]](/logo.png){kind=logo}