Open vapier opened 6 years ago
gawk provides a "sandbox" mode where it runs with access to programs/files/plugins are disabled. this makes it safer to run with untrusted input so that awk is truly a dummy text processing pipeline tool. https://www.gnu.org/software/gawk/manual/gawk.html#index-_002d_002dsandbox-option
in Chromium OS, we had such a bug where someone managed to inject arbitrary code into the awk script and get access to system(). i won't debate the quality of the script in question here ;). https://crbug.com/766271
we have no need for awk to do any of this system level stuff, so a sandbox mode would be lovely. i implemented it in mawk here: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/release-R64-10176.B/sys-apps/mawk/files/mawk-1.3.4-sandbox.patch
in order to download the raw file, use the txt link in the bottom right corner of that page ... you'll get base64 encoded content.
on top of that, it'd be great if there was a configure flag so we could, at compile time, just force enable sandbox mode. i implemented that too (while maintaining today's default behavior). https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/release-R64-10176.B/sys-apps/mawk/files/mawk-1.3.4-sandbox-default.patch
thanks - will take a look...
ThomasDickey
commented
6 years ago
gawk provides a "sandbox" mode where it runs with access to programs/files/plugins are disabled. this makes it safer to run with untrusted input so that awk is truly a dummy text processing pipeline tool. https://www.gnu.org/software/gawk/manual/gawk.html#index-_002d_002dsandbox-option
in Chromium OS, we had such a bug where someone managed to inject arbitrary code into the awk script and get access to system(). i won't debate the quality of the script in question here ;). https://crbug.com/766271
we have no need for awk to do any of this system level stuff, so a sandbox mode would be lovely. i implemented it in mawk here: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/release-R64-10176.B/sys-apps/mawk/files/mawk-1.3.4-sandbox.patch
in order to download the raw file, use the txt link in the bottom right corner of that page ... you'll get base64 encoded content.
on top of that, it'd be great if there was a configure flag so we could, at compile time, just force enable sandbox mode. i implemented that too (while maintaining today's default behavior). https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/release-R64-10176.B/sys-apps/mawk/files/mawk-1.3.4-sandbox-default.patch