Changes between Initial Version and Version 42 of Ticket #2877
 Timestamp:
 10/25/21 12:05:44 (3 months ago)
Legend:
 Unmodified
 Added
 Removed
 Modified

Ticket #2877

Property
Status
changed from
new
topositive_review

Property
Authors
changed from
to
Frédéric Chapoton
 Property Cc tscrim slelievre ghkliem klee added

Property
Milestone
changed from
to
sage9.5

Property
Summary
changed from
security risk  several constructors use eval to parse input
tosecurity risk  restrict the input of eval in CC constructor

Property
Commit
changed from
to
57e8e9bc41c8e41eca5cad8879e67ba49089a4f0

Property
Branch
changed from
to
u/chapoton/2877

Property
Report Upstream
changed from
to
N/A

Property
Reviewers
changed from
to
Travis Scrimshaw, Kwankyu Lee

Property
Type
changed from
defect
toenhancement

Property
Status
changed from

Ticket #2877 – Description
initial v42 1 1 There are valid uses for eval() and sage_eval(), it makes it much easier to parse output from interfaces for example. 2 2 3 It is difficult (if not impossible) to completely sanitize arbitrary input, but one should be able to be able to(say) write a backend that takes specific data, calls on Sage to process it, and then returns the result. For example, I might want a webpage that uses Sage to compute Julia sets, and takes as input a complex number. That the following work is scary3 It is difficult (if not impossible) to completely sanitize arbitrary input, but one should be able to (say) write a backend that takes specific data, calls on Sage to process it, and then returns the result. For example, I might want a webpage that uses Sage to compute Julia sets, and takes as input a complex number. That the following work is scary 4 4 5 5 {{{ … … 12 12 sage: CC("os.exec(...)") 13 13 }}} 14 15 In this ticket, one introduces restrictions on the text input to CC that prevent most of these terrible examples.