function "ls"

classic Classic list List threaded Threaded
4 messages Options
Sylvestre Ledru Sylvestre Ledru
Reply | Threaded
Open this post in threaded view
|

function "ls"

Hi,

I am thinking about changing the behaviour of the function ls
http://www.scilab.org/product/man/index.php?module=fileio&page=ls.htm

I would like to remove the second input argument for a few reasons:
* security issues. This simple example shows how weak it is :
 ls("*.sci","`echo hacked >/tmp/hmhm`")

* Compatiblity and portability. A user working under Linux and using
tricks on this function won't have the same result under proprietary
operating systems.

* We are too closely related to the ls behaviour on the platform

* The code could be directly pluged to the listfiles and therefore
facilitate the maintenance (It is already the case under Windows).

Any objections ?

Sylvestre



Allan CORNET-2 Allan CORNET-2
Reply | Threaded
Open this post in threaded view
|

Re: function "ls"

Hi,

+1 to use listfiles in ls on linux & windows

Allan

Le 10:16 AM 2/8/2008,Sylvestre Ledru écrit:
Hi,

I am thinking about changing the behaviour of the function ls
http://www.scilab.org/product/man/index.php?module=fileio&page=ls.htm

I would like to remove the second input argument for a few reasons:
* security issues. This simple example shows how weak it is :
 ls("*.sci","`echo hacked >/tmp/hmhm`")

* Compatiblity and portability. A user working under Linux and using
tricks on this function won't have the same result under proprietary
operating systems.

* We are too closely related to the ls behaviour on the platform

* The code could be directly pluged to the listfiles and therefore
facilitate the maintenance (It is already the case under Windows).

Any objections ?

Sylvestre



==============================================
Allan CORNET
Scilab Consortium
http://www.scilab.org
INRIA - Unité de Recherche de Rocquencourt
Domaine de Voluceau - B.P. 105
78153 Le Chesnay Cedex

==============================================
Projet Scilab
Bâtiment 1B - Bureau 009
Email : [hidden email]
==============================================










	
	
	
	
Pierre MARECHAL Pierre MARECHAL
Reply | Threaded
Open this post in threaded view
|

Re: function "ls"

In reply to this post by Sylvestre Ledru
I agree with you, unix() call into .sci macros (of scilab distrib.) has to be prohibited.

Pierre



Sylvestre Ledru a écrit :
Hi,

I am thinking about changing the behaviour of the function ls
http://www.scilab.org/product/man/index.php?module=fileio&page=ls.htm

I would like to remove the second input argument for a few reasons:
* security issues. This simple example shows how weak it is :
 ls("*.sci","`echo hacked >/tmp/hmhm`")

* Compatiblity and portability. A user working under Linux and using
tricks on this function won't have the same result under proprietary
operating systems.

* We are too closely related to the ls behaviour on the platform

* The code could be directly pluged to the listfiles and therefore
facilitate the maintenance (It is already the case under Windows).

Any objections ?

Sylvestre

  


-- 
===================================================
Pierre MARECHAL
INRIA - Centre de Recherche de Paris - Rocquencourt
Domaine de Voluceau - B.P. 105
78153 Le Chesnay Cedex
===================================================
Equipe-Projet Scilab
Bâtiment 1B - Bureau 008
Email : [hidden email]
===================================================
Vincent COUVERT-3 Vincent COUVERT-3
Reply | Threaded
Open this post in threaded view
|

Re: function "ls"

In reply to this post by Sylvestre Ledru
Hi,

I totally agree with you. You can remove this securoty issue and base ls
on listfiles.

Vincent

Sylvestre Ledru a écrit :

> Hi,
>
> I am thinking about changing the behaviour of the function ls
> http://www.scilab.org/product/man/index.php?module=fileio&page=ls.htm
>
> I would like to remove the second input argument for a few reasons:
> * security issues. This simple example shows how weak it is :
>  ls("*.sci","`echo hacked >/tmp/hmhm`")
>
> * Compatiblity and portability. A user working under Linux and using
> tricks on this function won't have the same result under proprietary
> operating systems.
>
> * We are too closely related to the ls behaviour on the platform
>
> * The code could be directly pluged to the listfiles and therefore
> facilitate the maintenance (It is already the case under Windows).
>
> Any objections ?
>
> Sylvestre
>
>
>  

--
==============================================
Vincent COUVERT
Centre de Recherche INRIA Paris-Rocquencourt
Domaine de Voluceau - B.P. 105
78153 Le Chesnay Cedex
==============================================
Equipe Projet SCILAB
Bâtiment 1B - Bureau 013
Email : [hidden email]
Tél : +33 (0)1 39 63 54 46
Fax : +33 (0)1 39 63 55 94
==============================================