Changes between Initial Version and Version 42 of Ticket #2877


Ignore:
Timestamp:
10/25/21 12:05:44 (3 months ago)
Author:
chapoton
Comment:

voilà, voilà.

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #2877

    • Property Status changed from new to positive_review
    • Property Authors changed from to Frédéric Chapoton
    • Property Cc tscrim slelievre gh-kliem klee added
    • Property Milestone changed from to sage-9.5
    • Property Summary changed from security risk -- several constructors use eval to parse input to security risk -- restrict the input of eval in CC constructor
    • Property Commit changed from to 57e8e9bc41c8e41eca5cad8879e67ba49089a4f0
    • Property Branch changed from to u/chapoton/2877
    • Property Report Upstream changed from to N/A
    • Property Reviewers changed from to Travis Scrimshaw, Kwankyu Lee
    • Property Type changed from defect to enhancement
  • Ticket #2877 – Description

    initial v42  
    11There are valid uses for eval() and sage_eval(), it makes it much easier to parse output from  interfaces for example.
    22
    3 It is difficult (if not impossible) to completely sanitize arbitrary input, but one should be able to be able to (say) write a backend that takes specific data, calls on Sage to process it, and then returns the result. For example, I might want a webpage that uses Sage to compute Julia sets, and takes as input a complex number. That the following work is scary
     3It is difficult (if not impossible) to completely sanitize arbitrary input, but one should be able to (say) write a backend that takes specific data, calls on Sage to process it, and then returns the result. For example, I might want a webpage that uses Sage to compute Julia sets, and takes as input a complex number. That the following work is scary
    44
    55{{{
     
    1212sage: CC("os.exec(...)")
    1313}}}
     14
     15In this ticket, one introduces restrictions on the text input to CC that prevent most of these terrible examples.