<div dir="ltr">Can you demonstrate how to make this happen? Opening a file with these contents, for example, doesn't install anything.<div><br></div><div><div>#lang racket</div><div>(require (planet planet/test-connection:1:0/test-connection))</div>
<div><br></div><div>As for automatically executing arbitrary code, I think you must mean something more precise here. Perhaps "code that hasn't already been explicitly installed"? If that's what you mean, then I think I'm also missing how this happens.</div>
<div><br></div><div>Robby</div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Nov 27, 2013 at 4:42 PM, Jay McCarthy <span dir="ltr"><<a href="mailto:jay@racket-lang.org" target="_blank">jay@racket-lang.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">There is an important change in this commit. Since we've created the<br>
release branch for 6.0, I think we should stop automatically<br>
installing and executing arbitrary code when people open files in<br>
DrRacket. Currently the error message suggests using "raco planet" but<br>
I think we need a bit of a GUI shim for other users.<br>
<div><div class="h5"><br>
On Wed, Nov 27, 2013 at 3:40 PM, <<a href="mailto:jay@racket-lang.org">jay@racket-lang.org</a>> wrote:<br>
> jay has updated `master' from 033065f632 to 60ae164d05.<br>
> <a href="http://git.racket-lang.org/plt/033065f632..60ae164d05" target="_blank">http://git.racket-lang.org/plt/033065f632..60ae164d05</a><br>
><br>
> =====[ 6 Commits ]======================================================<br>
> Directory summary:<br>
> 57.6% pkgs/plt-services/meta/pkg-index/official/static/<br>
> 17.6% pkgs/plt-services/meta/pkg-index/official/<br>
> 22.0% racket/collects/planet/private/<br>
><br>
> ~~~~~~~~~~<br>
><br>
> 2413278 Jay McCarthy <<a href="mailto:jay@racket-lang.org">jay@racket-lang.org</a>> 2013-11-27 14:51<br>
> :<br>
> | moving delete button<br>
> :<br>
> M .../meta/pkg-index/official/static/index.html | 2 ++<br>
> M .../meta/pkg-index/official/static/index.js | 16 +++++++++-------<br>
> M .../meta/pkg-index/official/static/style.css | 4 ++++<br>
><br>
> ~~~~~~~~~~<br>
><br>
> 113696c Jay McCarthy <<a href="mailto:jay@racket-lang.org">jay@racket-lang.org</a>> 2013-11-27 14:54<br>
> :<br>
> | edit on lose focus<br>
> :<br>
> M pkgs/plt-services/meta/pkg-index/official/static/index.js | 4 +++-<br>
><br>
> ~~~~~~~~~~<br>
><br>
> cf1755f Jay McCarthy <<a href="mailto:jay@racket-lang.org">jay@racket-lang.org</a>> 2013-11-27 15:19<br>
> :<br>
> | Remove arbitrary code execution exploit from Racket and DrRacket<br>
> |<br>
> | This is particularly bad with DrRacket's online syntax checking, which<br>
> | causes opening a file to download and executed aribtrary code.<br>
> :<br>
> M racket/collects/planet/private/resolver.rkt | 8 ++++----<br>
><br>
> ~~~~~~~~~~<br>
><br>
> 98df30c Jay McCarthy <<a href="mailto:jay@racket-lang.org">jay@racket-lang.org</a>> 2013-11-27 15:30<br>
> :<br>
> | deleting static s3 content properly<br>
> :<br>
> M pkgs/plt-services/meta/pkg-index/official/static.rkt | 11 ++++++++++-<br>
><br>
> ~~~~~~~~~~<br>
><br>
> 7b7a5ad Jay McCarthy <<a href="mailto:jay@racket-lang.org">jay@racket-lang.org</a>> 2013-11-27 15:33<br>
> :<br>
> | increase pkg test timeout<br>
> :<br>
> M pkgs/plt-services/meta/props | 2 +-<br>
><br>
> ~~~~~~~~~~<br>
><br>
> 60ae164 Jay McCarthy <<a href="mailto:jay@racket-lang.org">jay@racket-lang.org</a>> 2013-11-27 15:39<br>
> :<br>
> | Removing add tag button when not logged in re mflatt<br>
> :<br>
> M pkgs/plt-services/meta/pkg-index/official/static/index.js | 11 +++++++++--<br>
> M .../plt-services/meta/pkg-index/official/static/index.html | 2 +-<br>
><br>
> =====[ Overall Diff ]===================================================<br>
><br>
> pkgs/plt-services/meta/pkg-index/official/static.rkt<br>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br>
> --- OLD/pkgs/plt-services/meta/pkg-index/official/static.rkt<br>
> +++ NEW/pkgs/plt-services/meta/pkg-index/official/static.rkt<br>
> @@ -304,7 +304,16 @@<br>
> (cache "/pkgs" "pkgs")<br>
> (cache "/pkgs-all" "pkgs-all")<br>
> (for ([p (in-list pkg-list)])<br>
> - (cache (format "/pkg/~a" p) (format "pkg/~a" p))))<br>
> + (cache (format "/pkg/~a" p) (format "pkg/~a" p)))<br>
> +<br>
> + (let ()<br>
> + (define pkg-path (build-path static-path "pkg"))<br>
> + (for ([f (in-list (directory-list pkg-path))]<br>
> + #:unless (regexp-match #"json$" (path->string f))<br>
> + #:unless (member (path->string f) pkg-list))<br>
> + (with-handlers ([exn:fail:filesystem? void])<br>
> + (delete-file (build-path pkg-path f))<br>
> + (delete-file (build-path pkg-path (path-add-suffix f #".json")))))))<br>
><br>
> (module+ main<br>
> (require racket/cmdline)<br>
><br>
> pkgs/plt-services/meta/pkg-index/official/static/index.html<br>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br>
> --- OLD/pkgs/plt-services/meta/pkg-index/official/static/index.html<br>
> +++ NEW/pkgs/plt-services/meta/pkg-index/official/static/index.html<br>
> @@ -54,12 +54,14 @@<br>
> <tr><td>Last Edit:</td><td><span id="pi_last_edit"></span></td></tr><br>
> <tr><td>Description:</td><td><span id="pi_description"></span></td></tr><br>
> <tr><td>Tags:</td><td><span id="pi_tags"></span></td></tr><br>
> - <tr><td></td><td><input type="text" id="pi_add_tag_text" class="text ui-widget-content ui-corner-all" /><button id="pi_add_tag_button">Add Tag</button></td></tr><br>
> + <tr id="pi_add_tag_row"><td></td><td><input type="text" id="pi_add_tag_text" class="text ui-widget-content ui-corner-all" /><button id="pi_add_tag_button">Add Tag</button></td></tr><br>
> <tr id="pi_versions_row"><td>Versions Exceptions</td><td><table id="pi_versions"></table></td></tr><br>
> <tr id="pi_add_version_row"><td></td><td><label>Version:</label> <input type="text" id="pi_add_version_text" class="text ui-widget-content ui-corner-all" /><br /><label>Source:</label> <input type="text" id="pi_add_version_source_text" class="text ui-widget-content ui-corner-all" /><button id="pi_add_version_button">Add Version Exception</button></td></tr><br>
> <tr id="pi_dependencies_row"><td>Dependencies</td><td><span id="pi_dependencies"></span></td></tr><br>
> <tr id="pi_conflicts_row"><td>Conflicts</td><td><span id="pi_conflicts"></span></td></tr><br>
> <tr><td>Modules</td><td><span id="pi_modules"></span></td></tr><br>
> + <tr id="pi_delete_row"><td colspan="2"><button id="pi_delete_button">Delete<br>
> + Package</button><br />(there is no undo!)</td></tr><br>
> </table><br>
><br>
> <div id="pi_install" class="install">Install this package with:<br><br><tt>raco pkg install <span id="pi_name_inst"></span></tt><br><br>or, with the 'File|Install Package...' menu option in DrRacket.</div><br>
><br>
> pkgs/plt-services/meta/pkg-index/official/static/index.js<br>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br>
> --- OLD/pkgs/plt-services/meta/pkg-index/official/static/index.js<br>
> +++ NEW/pkgs/plt-services/meta/pkg-index/official/static/index.js<br>
> @@ -8,6 +8,8 @@ function me () {<br>
> return localStorage['email']; }<br>
><br>
> $( document ).ready(function() {<br>
> + var logged_in = false;<br>
> +<br>
> function jslink ( texts, clickf) {<br>
> return $('<a>', { href: "javascript:void(0)",<br>
> click: clickf } ).html(texts); }<br>
> @@ -43,7 +45,7 @@ $( document ).ready(function() {<br>
> update_package_on_list ( pkgi );<br>
> // console.log( pkgi );<br>
> change_hash( "[" + pkgi['name'] + "]" );<br>
> -<br>
> +<br>
> var mypkg_p = ($.inArray(me(), pkgi['authors'] ) != -1);<br>
><br>
> function make_editbutton ( spot, initv, fun ) {<br>
> @@ -56,17 +58,20 @@ $( document ).ready(function() {<br>
> var it = $( "#" + spot + "_text" );<br>
> it.keypress( function (e) {<br>
> if (e.which == 13) { fun (it.val()); } } );<br>
> + it.focusout( function (e) {<br>
> + fun (it.val()); } );<br>
> it.val(initv).focus(); } ) ); } }<br>
><br>
> $( "#pi_name" ).text( pkgi['name'] );<br>
> make_editbutton ( "pi_name", pkgi['name'], submit_mod_name );<br>
> if ( mypkg_p ) {<br>
> - $( "#pi_name" ).append( $('<button>')<br>
> - .button({ icons: { primary: "ui-icon-trash" } })<br>
> - .click( function (e) {<br>
> - dynamic_pkgsend( "/jsonp/package/del", { } );<br>
> - $(pkgi['dom_obj']).remove();<br>
> - $("#package_info").dialog("close"); } ) ); }<br>
> + $( "#pi_delete_button" ).click( function (e) {<br>
> + dynamic_pkgsend( "/jsonp/package/del", { } );<br>
> + $(pkgi['dom_obj']).remove();<br>
> + $("#package_info").dialog("close"); } );<br>
> + $( "#pi_delete_row" ).show(); }<br>
> + else {<br>
> + $( "#pi_delete_row" ).hide(); }<br>
><br>
> $( "#pi_name_inst" ).text( pkgi['name'] );<br>
> $( "#pi_ring" ).text( pkgi['ring'] );<br>
> @@ -104,6 +109,10 @@ $( document ).ready(function() {<br>
> " "]; }<br>
> else {<br>
> return [tag, " "]; } } ) ));<br>
> + if ( logged_in ) {<br>
> + $( "#pi_add_tag_row" ).show(); }<br>
> + else {<br>
> + $( "#pi_add_tag_row" ).hide(); }<br>
><br>
> $( "#pi_versions" ).html("").append( $.map( Object.keys(pkgi['versions']).sort(), function ( v, vi ) {<br>
> var vo = pkgi['versions'][v];<br>
> @@ -494,8 +503,10 @@ $( document ).ready(function() {<br>
> $( "#login_code_row" ).hide();<br>
><br>
> function menu_logout () {<br>
> + logged_in = false;<br>
> $("#logout").html( jslink( "login", function () { $( "#login" ).dialog( "open" ); } ) ); }<br>
> function menu_loggedin ( curate_p ) {<br>
> + logged_in = true;<br>
> $("#logout").html("")<br>
> .append( me(),<br>
> ( curate_p ? [ " (", jslink( "curator", function () {<br>
><br>
> pkgs/plt-services/meta/pkg-index/official/static/style.css<br>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br>
> --- OLD/pkgs/plt-services/meta/pkg-index/official/static/style.css<br>
> +++ NEW/pkgs/plt-services/meta/pkg-index/official/static/style.css<br>
> @@ -150,3 +150,7 @@ a.possible {<br>
> text-align: center;<br>
> color: red;<br>
> }<br>
> +<br>
> +tr#pi_delete_row td {<br>
> + text-align: center;<br>
> +}<br>
><br>
> pkgs/plt-services/meta/props<br>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br>
> --- OLD/pkgs/plt-services/meta/props<br>
> +++ NEW/pkgs/plt-services/meta/props<br>
> @@ -1289,7 +1289,7 @@ path/s is either such a string or a list of them.<br>
> "pkgs/racket-pkgs/racket-test/tests/openssl/basic.rkt" drdr:random #t<br>
> "pkgs/racket-pkgs/racket-test/tests/pkg" responsible (jay) drdr:command-line (mzc *)<br>
> "pkgs/racket-pkgs/racket-test/tests/pkg/test-pkgs" drdr:command-line #f<br>
> -"pkgs/racket-pkgs/racket-test/tests/pkg/test.rkt" drdr:command-line (raco "test" *) drdr:timeout 600<br>
> +"pkgs/racket-pkgs/racket-test/tests/pkg/test.rkt" drdr:command-line (raco "test" *) drdr:timeout 2400<br>
> "pkgs/racket-pkgs/racket-test/tests/racket" responsible (mflatt)<br>
> "pkgs/racket-pkgs/racket-test/tests/racket/all.rktl" drdr:command-line #f<br>
> "pkgs/racket-pkgs/racket-test/tests/racket/basic.rktl" drdr:command-line #f<br>
><br>
> racket/collects/planet/private/resolver.rkt<br>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br>
> --- OLD/racket/collects/planet/private/resolver.rkt<br>
> +++ NEW/racket/collects/planet/private/resolver.rkt<br>
> @@ -219,9 +219,9 @@ See the scribble documentation on the planet/resolver module.<br>
> (struct-out exn:fail:planet))<br>
><br>
> ;; if #f, will not install packages and instead raise a exn:fail:install? error<br>
> -(define install? (make-parameter #t))<br>
> +(define install? (make-parameter #f))<br>
> ;; if #f, will not download packages and instead raise a exn:fail:install? error<br>
> -(define download? (make-parameter #t))<br>
> +(define download? (make-parameter #f))<br>
> (define-struct (exn:fail:planet exn:fail) ())<br>
><br>
> ;; update doc index only once for a set of installs:<br>
> @@ -541,7 +541,7 @@ See the scribble documentation on the planet/resolver module.<br>
> (unless (download?)<br>
> (raise (make-exn:fail:planet<br>
> (format<br>
> - "PLaneT error: cannot download package ~s since the download? parameter is set to #f"<br>
> + "PLaneT error: cannot download package ~s without permission. Give permission with download? parameter or use 'raco planet install'"<br>
> (list (car (pkg-spec-path pkg)) (pkg-spec-name pkg)))<br>
> (current-continuation-marks))))<br>
> ((if (USE-HTTP-DOWNLOADS?) download-package/http download-package/planet)<br>
> @@ -577,7 +577,7 @@ See the scribble documentation on the planet/resolver module.<br>
> (unless (install?)<br>
> (raise (make-exn:fail:planet<br>
> (format<br>
> - "PLaneT error: cannot install package ~s since the install? parameter is set to #f"<br>
> + "PLaneT error: cannot install package ~s without permission. Give permission with download? parameter or use 'raco planet install'"<br>
> (list (car pkg-path) pkg-name maj min))<br>
> (current-continuation-marks))))<br>
> (define owner (car pkg-path))<br>
<br>
</div></div>_________________________<br>
Racket Developers list:<br>
<a href="http://lists.racket-lang.org/dev" target="_blank">http://lists.racket-lang.org/dev</a><br>
</blockquote></div><br></div>