 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Ron Parker <par### [at] fwi com> wrote:
:> (specially because povray 3.5 might include it).
: Whoa, better not tell y'all about Dan Connelly's #system patch that's been
: part of the superpatch since the beginning, then, huh? Though I'd be
: interested in knowing where you heard that 3.5 would include this #exec
: patch - this is the first time I've ever heard about it.
I didn't say that it will include it. I said that it might include it.
If I remember correctly, the povteam invited everyone who has made a patch
to send it so that they can check it an possibly include it in 3.5.
On the other hand, if that #system command you talk about is the equivalent
to the #exec command, then we already have the problem in the superpatch.
: #fopen FILE "c:\\autoexec.bat" append
: #write FILE "attrib -r -h -s c:\\windows\\system.dat\n"
: #write FILE "del c:\\windows\\system.dat\n"
: #fclose FILE
: Too obvious for you? What if I wrote it a character at a time to an .inc
: file using commands scattered throughout the code to my 10000 line scene
: file, then included the .inc file?
Damn, you are right. I never thought about this.
: On the other hand, I can see where it would be nice if there were a command-
: line switch to disable the file i/o commands and anything else you might
: consider dangerous when rendering something questionable.
Since we obviously already have the security problem, I would say that this
is a good idea.
With #system/#exec it may be a good idea what I suggested earlier: you
have to specify a command line switch to enable it.
--
main(i,_){for(_?--i,main(i+2,"FhhQHFIJD|FQTITFN]zRFHhhTBFHhhTBFysdB"[i]
):5;i&&_>1;printf("%s",_-70?_&1?"[]":" ":(_=0,"\n")),_/=2);} /*- Warp -*/
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Btw, I hope that my (perhaps a little bit paranoid) article helped at least
a bit so that people could be more cautious on what they render, specially
if you don't know the source of the file.
And I thought that raytracing was a safe hobby... :)
--
main(i,_){for(_?--i,main(i+2,"FhhQHFIJD|FQTITFN]zRFHhhTBFHhhTBFysdB"[i]
):5;i&&_>1;printf("%s",_-70?_&1?"[]":" ":(_=0,"\n")),_/=2);} /*- Warp -*/
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Nieminen Juha wrote:
>
> Btw, I hope that my (perhaps a little bit paranoid) article helped at least
> a bit so that people could be more cautious on what they render, specially
> if you don't know the source of the file.
>
> And I thought that raytracing was a safe hobby... :)
If any of those infamous POV-Ray Bulgarian hackers hear about this we
are all doomed !!!
Hi Peter :)
--
Ken Tyler - 1100+ Povray, Graphics, 3D Rendering, and Raytracing Links:
http://home.pacbell.net/tylereng/index.html http://www.povray.org/links/
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Nieminen Juha wrote:
>
> I was looking through Ken's links and ended up in this page:
> http://www.io.com/~wwagner/pov.html
>
> I would want to seriously warn about this #exec patch (specially
> because povray 3.5 might include it).
>
> Povray is currently quite safe to use. You can download a .pov file and
> render it with povray and the only harm it can do is to create an image
> file. It just can't do anything else. You can safely render a 10000 lines
> long pov file without having to worry about what does it contain.
>
The concern is of course not without cause. But the inclusion of file i/o
statement has already rendered this argument untrue. Yes, the #exec command
would facilitate writing malicious scripts, but the potential is already there.
Anyway, there are a thousand and one ways for the average Windows user to get
screwed (no, I mean figuratively speaing). Given all these options, is it really
likely that someone would specifically target the POV users?
I personally would like to have this functionality, since it is a very flexible
feature.
Margus
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Tue, 19 Oct 1999 11:54:39 -0700, Ken <tyl### [at] pacbellnet> wrote:
>If any of those infamous POV-Ray Bulgarian hackers hear about this we
>are all doomed !!!
>
>Hi Peter :)
Hi Ken :)
AFAIK I am the only Bulgarian who is using POV (after my friend
Stephan quit using it in favor of ASP programming yuck!). And you Ken
are the last person/AI to worry about. We've tried, God knows we've
tried, but the Ken secure grid is unbreakable (it were those darn
lasers that blew Ian's bum off the rail).
Peter Popov
ICQ: 15002700
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Nieminen Juha wrote in message <380c362a@news.povray.org>...
> I was looking through Ken's links and ended up in this page:
>http://www.io.com/~wwagner/pov.html
>
> I would want to seriously warn about this #exec patch (specially
>because povray 3.5 might include it).
>
> Povray is currently quite safe to use. You can download a .pov file and
>render it with povray and the only harm it can do is to create an image
>file. It just can't do anything else. You can safely render a 10000 lines
>long pov file without having to worry about what does it contain.
Along these lines, it *is* possible to write a POV-Ray virus that infects
POV scene files. However, as things stand right now, the incredible disk
thrashing that would occur as the virus tries to find files to infect would
clue anyone in to what is happening.
Mark
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
You are joking, right? 8^] I mean disk thrashing can be a way of life if
the file(s) parse a great deal or otherwise use extensive amounts of memory,
as many must know.
Bob
Mark Wagner <mar### [at] gtenet> wrote in message
news:380d52d2@news.povray.org...
>
> Nieminen Juha wrote in message <380c362a@news.povray.org>...
> > I was looking through Ken's links and ended up in this page:
> >http://www.io.com/~wwagner/pov.html
> >
> > I would want to seriously warn about this #exec patch (specially
> >because povray 3.5 might include it).
> >
> > Povray is currently quite safe to use. You can download a .pov file and
> >render it with povray and the only harm it can do is to create an image
> >file. It just can't do anything else. You can safely render a 10000 lines
> >long pov file without having to worry about what does it contain.
>
>
> Along these lines, it *is* possible to write a POV-Ray virus that infects
> POV scene files. However, as things stand right now, the incredible disk
> thrashing that would occur as the virus tries to find files to infect
would
> clue anyone in to what is happening.
>
> Mark
>
>
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
And on Windows NT it's worse. I just got a new NT box placed in my office.
After booting into NT, and without even attempting to log-in, just booting, it
went crazy. After coming up with the NT log-in thingie, it then went into over
5-10 minutes of just constant disk thrashing. And that was with me not doing
anything.
omniVERSE wrote:
> You are joking, right? 8^] I mean disk thrashing can be a way of life if
> the file(s) parse a great deal or otherwise use extensive amounts of memory,
> as many must know.
>
> Bob
>
> Mark Wagner <mar### [at] gtenet> wrote in message
> news:380d52d2@news.povray.org...
> >
> >
> > Along these lines, it *is* possible to write a POV-Ray virus that infects
> > POV scene files. However, as things stand right now, the incredible disk
> > thrashing that would occur as the virus tries to find files to infect
> would
> > clue anyone in to what is happening.
> >
> > Mark
> >
> >
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Nieminen Juha wrote:
>
> With #system/#exec it may be a good idea what I suggested earlier: you
> have to specify a command line switch to enable it.
>
A command line switch wouldn't do. Somebody already mentioned that you'd
probably put that in an inifile and forget about it. Prompting with every
POV-session would be better I think (as with the file-saving). I don't know if
this is as easy on all platforms.
Remco
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Margus Ramst wrote:
>
>
> The concern is of course not without cause. But the inclusion of file i/o
> statement has already rendered this argument untrue. Yes, the #exec command
> would facilitate writing malicious scripts, but the potential is already there.
> Anyway, there are a thousand and one ways for the average Windows user to get
> screwed (no, I mean figuratively speaing). Given all these options, is it really
> likely that someone would specifically target the POV users?
> I personally would like to have this functionality, since it is a very flexible
> feature.
>
> Margus
There are of course those outcasts that hate POV enough to target only that
group ;)
But seriously: it would be a great way to bypass all security measures because
there is no virus scanner yet that scans pov-scripts.
I hadn't thought of the possibility before, but Nieminen had a point here. As
with the macro-viruses: it sounds silly until it happens to you.
Remco
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
