[Click] Question: Script "cat" handler considered dangerous?
Eddie Kohler
kohler at cs.ucla.edu
Mon Jun 16 12:37:48 EDT 2008
Hi all,
A quick question. I've justed added a handler to Click's Script element,
accessible at userlevel, called "cat". This handler reads a file and returns
its contents. For example:
Script(set x $(cat /tmp/f))
sets the script's "$x" variable to the contents of /tmp/f.
This is pretty useful, but also potentially dangerous, since anyone who can
call the Script's "cat" handler can read any file accessible to the click
program. I am wondering if anyone finds this dangerous -- for example if
someone is running ControlSocket. One possibility would be to make "cat"
accessible within the config, and not from ControlSocket.
Eddie
More information about the click
mailing list