From: Jeremy Stanley Date: Sat, 3 Oct 2020 20:16:02 +0000 (+0000) Subject: Replace show result with debug evaluate command X-Git-Tag: 0.3.0~4 X-Git-Url: https://mudpy.org/gitweb?p=mudpy.git;a=commitdiff_plain;h=d1362ea83d4d7eae9dd786109c02224928b2bf01;hp=d1362ea83d4d7eae9dd786109c02224928b2bf01 Replace show result with debug evaluate command The show result subcommand was quite unsafe. Even though it limited the globals for strings passed to the env() builtin, it was still possible for admins to do things like call the exec() builtin and then import other modules, or use open() to overwrite files writeable by the user under which the engine was running. Introduce a new evaluate command as a substitute and remove the show result subcommand. Use the debugging framework to limit access to evaluate so that it's only available if debug mode is enabled in the configuration at the time the daemon is started. Further limit evaluate to not have most of the normal builtins, and explicitly reject any strings containing a double-underscore (__) so that base attributes of other modules such as __builtins__ can't be called into easily, or "lambda" so that lambda functions can't be used to work around protections. Also add some selftests to make sure evaluate can still use the expressions we previously tested with show result, and that only administrators can use it, and that it's only available to them when debug mode is enabled. The evaluate command is still to be considered quite unsafe, and debug mode should only be engaged when all administrators with access to the service are trusted with the same permissions the system account running the service also possesses. ---