Is this being run from a unix system?
If so, why not just create a separate user (say maxima_php) in a
separate group with almost no read or write privileges on the rest of the file
system.
Then, run the MaximaPhP server from that user.
Just an idea,
-sen
---------------------------------------------------------------------------
| Sheldon E. Newhouse | e-mail: sen1 at math.msu.edu |
| Mathematics Department | |
| Michigan State University | telephone: 517-355-9684 |
| E. Lansing, MI 48824-1027 USA | FAX: 517-432-1562 |
---------------------------------------------------------------------------
On Mon, 19 Mar 2007, Robert Dodier wrote:
> On 3/19/07, Bowo Prasetyo <prazjp at gmail.com> wrote:
>
>> mypre: "s";
>> mypre: concat(mypre, "ystem(\"ls\")");
>> plot2d(sin(x), [x, -3, 3], [gnuplot_preamble, mypre])
>>
>> and voila... I could see all my files and directories.. :-(
>>
>> Anyone know how to block this kind of hidden 'system' command..?
>
> Presumably the right way to do this is to get the web server to
> execute Maxima in a sandbox or something like that, in which
> Maxima has a limited view of the file system and constraints
> on memory and cpu time. Then there would be no need to attempt
> to plug all the holes in Maxima, Gnuplot, or whatever. I don't know
> how to arrange that, but if you figure it out, let us know. I think a
> lot of people would be interested in that.
>
> best
> Robert
> _______________________________________________
> Maxima mailing list
> Maxima at math.utexas.edu
> http://www.math.utexas.edu/mailman/listinfo/maxima
>