DMD 1.005 release [security concerns about ImportExpressions]
Jeff McGlynn
d at jeffrules.com
Sat Feb 10 01:19:10 PST 2007
On 2007-02-06 23:51:17 -0800, "Andrei Alexandrescu (See Website For
Email)" <SeeWebsiteForEmail at erdani.org> said:
> Vladimir Panteleev wrote:
>> On Tue, 06 Feb 2007 06:54:18 +0200, Walter Bright
>> <newshound at digitalmars.com> wrote:
>>
>>> http://www.digitalmars.com/d/changelog.html
>>
>> Hmm. What would prevent someone from writing programs like:
>> writef(import("/etc/passwd"));
>> and trick someone to compile this program for them (under the pretext
>> that they don't have a D compiler, for example) to steal the user list
>> (or the contents of any other file with a known absolute or relative
>> path on the victim's system)?
>>
>> IMO, the compiler should at least issue a warning when importing a file
>> not located in/under the source file's directory. Although, if the
>> source emits a lot of pragma(msg) messages, the warning might get
>> cluttered by those - or this might be concealed in a large program with
>> a lot of files. A better security-wise solution is to disallow
>> importing files outside the source file's directory, unless specified
>> by the user on the command-line.
>
> How would the bad person see the output of the compilation?
>
> Andrei
By asking someone else to compile code for you and send back the
executable. Some services exist for compiling C/C++ on the web and
this concern would prevent people from doing the same with D.
-- Jeff McGlynn
More information about the Digitalmars-d-announce
mailing list