[racket] Handin Server + PLAI problem

From: Robby Findler (robby at eecs.northwestern.edu)
Date: Sat Jan 14 18:39:32 EST 2012

Does variable-reference->module-source use current-directory?

If so, that'd explain this. (And either it would have to change or the
handin-server/sandbox would have to.)

Robby

On Sat, Jan 14, 2012 at 4:28 PM, Eli Barzilay <eli at barzilay.org> wrote:
> 40 minutes ago, Robby Findler wrote:
>> While we wait for Eli to either fix the bug or to track this down to
>> some other part of the system,
>
> It's not a handin server or a sandbox bug -- it's a problem of some
> code that tries to get `exists' access to some directories, which is
> usually harmless since the default security guard allows anything.  I
> can allow these directories by default through the sandbox if someone
> tells me which directories should be allowed.  (I also don't know what
> code causes it.)
>
>
>> applying this diff makes the problem go away for me.
>> [remove contract]
>
> This indicates that something in the contract wrapper does the
> access.  My guess is that some path manipulation function is used
> which checks the current directory.  If this is the case, and it's
> always the current directory, then I think that the right solution is
> to avoid it.  (I don't know if there are any security implications to
> allow exists access to the current directory, so I prefer to not open
> it up.)
>
> --
>          ((lambda (x) (x x)) (lambda (x) (x x)))          Eli Barzilay:
>                    http://barzilay.org/                   Maze is Life!



Posted on the users mailing list.