Some questions about the Sandbox.pm:
- why do readFromProcessArray and readFromProcess have different interfaces
- why does readFromProcessArray exist anyway
- can be have a SandboxContrib.pm for Cairo (OT)
- will there be a security release for Cairo that makes use of the Sandbox stuff wherever possible (OT)
- what about all the FIXMEs: who takes care of that?
- there are different flavours of communication with external processes depending of what the platform supports; some of that stuff is mark as non-functional; who will test?
Bottom line: we must assure dakars security mechanism. This stuff isn't ready yet.
-- TWiki::Main.MichaelDaum
The sndbox code is a bit of a mess. It looks like the safe pipes were implemented, and the left rest hanging. Note that even the safe pipes code isn't right; it throws away STDERR. -
TWiki:Main.MichaelDaum
While we're on the topic, error reporting from
RcsWrap upwards is done using a mixture of error returns and exceptions. the error returns are rarely checked, so there are probably errors in there being ignored. This is unforgivable.
CC
Done, SVN 4560.
- Moved all methods with knowledge of the file system into the store impl modules (Rcs*).
- Changed all error reporting and trapping from store to use exceptions
- Fixed all (I hope) the bugs that it revealed.
- One of the main things fixed was the Sandbox. I have been unable to test on Windows, but judging from comments on the web it should work now with ActiveState Perl. There were several errors.
- Changed the RCS methods so that they no longer do 'last minute' untainting. Instead, untainting is done when the data is first read, which avoids the risk of tainted data propagating through the system. The new UNTAINTED method in Assert is a big help there.
- Had to rewrite the TestFixturePlugin to parse the HTML for differencing, as HTML::Diff (the CPAN module) was crashing on unbalanced tags.
- Updated and ran all tests and TestCases.
Unit tests all pass, testcases all pass, and exercising the code seems to be OK, but this check in is almost certain to highlight more existing errors in the code that were not being detected previously.
CC