lighthouse icon indicating copy to clipboard operation
lighthouse copied to clipboard

Published 20 hours ago verified publisher icon emgram769

Horrible security flaw in cmd.py

Open kahrkunne opened this issue 9 years ago • 5 comments

In cmd.py, line 201 says "out = eval(userInput)". This is an enormous security flaw, to the point where, if you are using cmd.py as cmd for lighthouse, even typing "os.system('rm -rf *')" in the window, without pressing enter, will delete all your files. ==SO DON'T DO THIS==

Being able to run an arbitrary command just by typing it is really horrible. Code shouldn't be executed just by typing it, and this is unlike any other behaviour in lighthouse.

kahrkunne avatar Sep 21 '15 18:09 kahrkunne

Time to start a new debate around noob level of users? :joy:

cicku avatar Sep 24 '15 08:09 cicku

this is a good point, it really should only execute when a specific key is hit. any suggestions for alternative interfaces kahrkunne? perhaps something like eval this part?

emgram769 avatar Sep 30 '15 15:09 emgram769

Something like "eval" would be fine, yeah. It doesn't really matter what it is anyways, what matters is that it doesn't excecute arbitrary code just by typing it.

kahrkunne avatar Oct 09 '15 18:10 kahrkunne

This is one of those cases where a liability waiver could actually prove to be useful. Seriously though, consider adding a license.

ghost avatar Jan 25 '16 19:01 ghost

added a license file

@kahrkunne if you check out the modules branch, the file config/lighthouse/modules/MathModule.py should resolve the issue of evaluating code. this branch will be merged to master hopefully soon

emgram769 avatar Jan 26 '16 07:01 emgram769