Reading ./.ghci files raises security issues
|Reported by:||nomeata||Owned by:|
|Type of failure:||Other||Difficulty:||Unknown|
|Test Case:||Blocked By:|
GHCi will execute .ghci files in the current directory, and this can be used to run arbitrary shell commands.
It seems to me that most people would not expect that running "ghci" in a directory can cause arbitrary commands to be executed. This could be a security issue, e.g. running ghci in a just downloaded software package with a rouge .ghci file.
Also it affects invocations "ghc -e", which conceivably could be used in aliases or scripts for some action unrelated to running a ghci session, as in http://www.joachim-breitner.de/blog/archives/156-Haskell-on-the-Command-Line.html
I just noticed that it will not read files in directories not owned by you and warn you about it (e.g. in /tmp), which is a good start. But this does not help against files in packaged repositories.
Maybe ghci could keep a white-list of files somewhere in ~/.ghci and ask if it should execute a .ghci file that has not been encountered before.
Alternatively (and more work) a safe subset of options (such as inclusion paths) could be identified and only those would be allowed in ./.ghci, while ~/.ghci allows all commands.
Change History (12)
comment:1 Changed 19 months ago by igloo
- Difficulty set to Unknown
- Milestone set to 7.8.1
- Priority changed from normal to high