POV-Ray : Newsgroups : povray.advanced-users : WARNING: #exec and safety : WARNING: #exec and safety Server Time
2 Nov 2024 11:25:23 EDT (-0400)
  WARNING: #exec and safety  
From: Nieminen Juha
Date: 19 Oct 1999 05:13:14
Message: <380c362a@news.povray.org>
I was looking through Ken's links and ended up in this page:
http://www.io.com/~wwagner/pov.html

  I would want to seriously warn about this #exec patch (specially
because povray 3.5 might include it).

  Povray is currently quite safe to use. You can download a .pov file and
render it with povray and the only harm it can do is to create an image
file. It just can't do anything else. You can safely render a 10000 lines
long pov file without having to worry about what does it contain.

  However, if this #exec patch is included as is, this security ends there.
A malicious person can easily do harm to imprudent people. They can easyly
add somewhere at the line 5000 of the previous code commands like:
#exec "deltree /y c:\\"
#exec "rm -rf /"

  An advanced user could search the file for #exec commands but the malicious
person could still cause harm by adding hundreds of harmless and necessary
#exec commands to the file. Searching for dangerous ones among them could be
a hard job. (Searching for "del", "deltree" or "rm" may not be enough because
you can make harm with lots of other ways; you can also form those words
by concatenating letters so searching is impossible...)
  So even advanced users are not completely safe (the only way to be completely
sure is not to render any scene with #exec commands; but that could be
sometimes too limiting).
  Now, thinking about it... Even searching for "#exec" is not enough, since
you can form that word by concatenating letters, write it to a file and then
#include it in the scene.

  As we can see, there's no 100% secure way to detect dangerous files.

  Of course the #exec command could be very useful (specially with unix
shells). Hoever, it should NOT be included as is, without any security
issues.
  I don't know if there's any safe way to include it into povray. The only
thing I can think of is that by default povray will not execute the #exec
commands (it may issue a warning instead, for example) and if you really
want them to work, you have to say it with a command line switch or an
.ini file entry.
  However, this can only cause that people put that entry in their povray.ini
and there we have a disaster waiting to occur. So it's not a perfect solution.

  I can't think of any perfect solution. The only perfect solution would be
not adding the #exec command to povray.

  Comments?

-- 
main(i,_){for(_?--i,main(i+2,"FhhQHFIJD|FQTITFN]zRFHhhTBFHhhTBFysdB"[i]
):5;i&&_>1;printf("%s",_-70?_&1?"[]":" ":(_=0,"\n")),_/=2);} /*- Warp -*/


Post a reply to this message

Copyright 2003-2023 Persistence of Vision Raytracer Pty. Ltd.