|
|
There easiest way to ensure safety of POV-Ray on a Linux system, is
probably to use the OS built-in systems:
Let POV-Ray run with its own separate user account, and allow write
access only to one single directory: The one where rendering output is
to be written to. That should suffice for POV-Ray to run properly, it
doesn't need to write anywhere else.
In addition, you may want to watch out for the following POV-Ray specifics:
* INI files:
Some INI file settings allow a user to execute external commands, which
of course is a potential security risk.
The easiest way to solve this issue is to provide no way for the user to
submit their own INI files, and instead just provide a minimalistic
interface with options to pick from, then build an INI file from that
information. (Make sure that /if/ you allow some string parameters, that
you safeguard them against "INI option injection".)
Even if you do want to allow users to submit their own INI files, you
should use a "whitelist" approach to ensure that they're safe; anything
POV-Ray doesn't recognize as an INI option would be interpreted as a
file name, potentially allowing INI files or POV-Ray scenes to be
executed that you didn't check.
* Scene files:
Make sure to check all scene files and include files. Take care of the
following. (Note that blanks may go between hash signs and the actual
keywords!)
- "file_exists()" might be misused to try sniff for files on your computer.
- "#fopen", "#write" and "#read" might be misused to try accessing
virtually anything on your computer.
- Texture, height field and other input files might be misused to try
reading other files on your computer.
- The "#include" statement might me misused to circumvent other safety
mechanisms, or to try reading other files on your computer. (Note that
POV-Ray does accept string variables to specify the filename.)
- Some standard include files may define macros that could be used to
circumvent other security checks; for instance, the "strings.inc" file
defines a macro "Parse_String" that allows to have an arbitrary string
be interpreted as a POV-Ray SDL statement.
* Resources
Some scene files or output settings might make POV-Ray hungry for
resources, such as main memory, disk space, or simply computing time.
Try to get a lid on all these.
I'm quite sure I forgot some.
Post a reply to this message
|
|