Bowo,
I beleve that GNU plot also has a "system" command (and related shell
commands) which are also a rather large security hole. My solution in
STACK was not to let users set GNUplot options, rather than trying to
create a list of all bad functions.
Chris
On Mon, 19 Mar 2007, Bowo Prasetyo wrote:
> Hi,
>
> I found that using command for example..
>
> plot2d(sin(x), [x, -5, 5], [gnuplot_term, "png size 100000, 100000"])
>
> in MaximaPHP can cause Maxima to create arbitrarily large file in your server..
>
> So.. I added the following pairs in the blacklist..
>
> 'plot2d', '/\bpng\b.*\bsize\b/s'
> 'plot3d', '/\bpng\b.*\bsize\b/s'
>
> Maybe there are another such holes.. so please be careful if you use
> MaximaPHP in your server.
>
> Best regards,
> bowo
> _______________________________________________
> Maxima mailing list
> Maxima at math.utexas.edu
> http://www.math.utexas.edu/mailman/listinfo/maxima
>