On 3/19/07, Bowo Prasetyo <prazjp at gmail.com> wrote:
> mypre: "s";
> mypre: concat(mypre, "ystem(\"ls\")");
> plot2d(sin(x), [x, -3, 3], [gnuplot_preamble, mypre])
>
> and voila... I could see all my files and directories.. :-(
>
> Anyone know how to block this kind of hidden 'system' command..?
Presumably the right way to do this is to get the web server to
execute Maxima in a sandbox or something like that, in which
Maxima has a limited view of the file system and constraints
on memory and cpu time. Then there would be no need to attempt
to plug all the holes in Maxima, Gnuplot, or whatever. I don't know
how to arrange that, but if you figure it out, let us know. I think a
lot of people would be interested in that.
best
Robert