imkunet
commented
2 years ago Is there any proper, supported method to disabling the unsafe functions?
Open markozajc opened 2 years ago
imkunet
commented
2 years ago Is there any proper, supported method to disabling the unsafe functions?
markozajc
commented
2 years ago Here's what I do: qalculate-helper.git/tree/qalculate-helper.cpp
This prevents the functions from being called directly, but it potentially cause a sigsegv if the function is called by something else (eg. variable := value will call save() internally for example, causing a sigsegv), but I at least don't think that's the ever case with command() and uptime(). save() and function() themselves should be fine as long as you don't reuse the same Calculator object, otherwise global constants and functions can be overwritten.
hanna-kn
commented
2 years ago Is there any proper, supported method to disabling the unsafe functions?
If feasible, recompile libqalculate with --without-gnuplot-call configure option to disable command() and plot(), or comment out relevant lines in the code, in functions loadBuiltinVariables() and loadBuiltinFunctions() in libqalculate/Calculator.cc line 1499.
variable := value will call save() internally for example, causing a sigsegv
I will fix this.
libqalculate will by default (with unfiltered input) allow RCE if the calculations are performed on a remote server. Without first consulting the function list, one might easily miss the rather dangerous
command()function, and a few other less dangerous capabilities (leaking system information with theuptimevariable, inserting custom messages withmessage(),warn(), anderror(), changing state withsave(), potentially others?). It might be worth pointing such capabilities out somewhere clear to prevent unintended system exposure.