|
|
Ok with you! But I think that new user MUST know the risk of using script of
other user! Because it is not obvious for all user (I think) that the script of
povray is so powerful and can cause dammage to the system! So post some remark
like these ones to the general group and newuser group!
Fabian.
Ron Parker wrote:
> On 19 Oct 1999 05:13:14 -0400, Nieminen Juha wrote:
> > I was looking through Ken's links and ended up in this page:
> >http://www.io.com/~wwagner/pov.html
> >
> > I would want to seriously warn about this #exec patch (specially
> >because povray 3.5 might include it).
> >
> > Povray is currently quite safe to use. You can download a .pov file and
> >render it with povray and the only harm it can do is to create an image
> >file. It just can't do anything else. You can safely render a 10000 lines
> >long pov file without having to worry about what does it contain.
> >
> > However, if this #exec patch is included as is, this security ends there.
> >A malicious person can easily do harm to imprudent people. They can easyly
> >add somewhere at the line 5000 of the previous code commands like:
> >#exec "deltree /y c:\\"
> >#exec "rm -rf /"
>
> Whoa, better not tell y'all about Dan Connelly's #system patch that's been
> part of the superpatch since the beginning, then, huh? Though I'd be
> interested in knowing where you heard that 3.5 would include this #exec
> patch - this is the first time I've ever heard about it.
>
> Seriously, folks, consider this:
>
> #fopen FILE "c:\\autoexec.bat" append
> #write FILE "attrib -r -h -s c:\\windows\\system.dat\n"
> #write FILE "del c:\\windows\\system.dat\n"
> #fclose FILE
>
> Too obvious for you? What if I wrote it a character at a time to an .inc
> file using commands scattered throughout the code to my 10000 line scene
> file, then included the .inc file?
>
> And what if the animation you're rendering comes with an INI file? Are
> you going to remember to check the shellouts in the INI file?
>
> The point is, if you don't trust the source of a file, don't run it. Getting
> an unknown POV script over the Internet is just as dangerous as getting C
> source code or Perl source code or source code in any other programming
> language, because that's what it is.
>
> On the other hand, I can see where it would be nice if there were a command-
> line switch to disable the file i/o commands and anything else you might
> consider dangerous when rendering something questionable.
Post a reply to this message
|
|