Unrestricted Python in 1.2?
Moderator: Forum Moderators
What is wrong with the certification solution? Before a campaign with python scripting will be distributed by the campaign server, it must be digitially signed by a trusted member of the wesnoth development community. Do people believe this won't scale? Is the latency for a security review too long? Will clever scripters put in security bugs that get passed review?
Well, the current solution effectively does the same as signing: http://www.wesnoth.org/wiki/ReferencePy ... ign_server
Someone with the proper access rights can strip the ".unchecked" extension from a python script on the campaign server, therefore making it available.
This means, in the case someone wants to distribute a campaign with python scripting over the campaign server, they can simply upload it, then notify me. I'd check the python script(s) in it, and mark as safe.
Some details need to be worked out:
* Should the campaign really be available for download in the period from uploading to marking as safe? (The advantage is, users who want to trust the scripts can locally remove the .unchecked and then already play.)
* How can a script on the CS get renamed? (Only person I know with shell access is isaac - so maybe need to add a way to rename files with a new restricted campaign server command.)
* What if I have no time to check a script, or it is too long/complicated to properly check?
I think, in the long run, one of the two other solutions mentioned on the EasyCoding link above should be implemented (auto-checking like Zope, or using Lua or another scripting language which can be restricted).
Someone with the proper access rights can strip the ".unchecked" extension from a python script on the campaign server, therefore making it available.
This means, in the case someone wants to distribute a campaign with python scripting over the campaign server, they can simply upload it, then notify me. I'd check the python script(s) in it, and mark as safe.
Some details need to be worked out:
* Should the campaign really be available for download in the period from uploading to marking as safe? (The advantage is, users who want to trust the scripts can locally remove the .unchecked and then already play.)
* How can a script on the CS get renamed? (Only person I know with shell access is isaac - so maybe need to add a way to rename files with a new restricted campaign server command.)
* What if I have no time to check a script, or it is too long/complicated to properly check?
I think, in the long run, one of the two other solutions mentioned on the EasyCoding link above should be implemented (auto-checking like Zope, or using Lua or another scripting language which can be restricted).
What about writing a program that will analyze python code looking for odd/malicious parts? For example importing modules (with exceptions), using file, open, eval, exec, __import__ (and such) etc ? I think that by such heavy limiting we can make a working filter. So instead of human, code could be checked by some "AI" 
Is it possible? If it is possible, I would like to make it! In python of course ... Sorry if you have already discussed such option. I think it is possible
Is it possible? If it is possible, I would like to make it! In python of course ... Sorry if you have already discussed such option. I think it is possible
if it were possible, security on the internet wouldn't be a problem
the whole point of malicious code is to find a way to go through such filters, so it would probalbly reduce possibilities, but unless there is human review, a hacker will always find a way to get through
and even a human review isn't a 100% guraentee
the whole point of malicious code is to find a way to go through such filters, so it would probalbly reduce possibilities, but unless there is human review, a hacker will always find a way to get through
and even a human review isn't a 100% guraentee
Fight key loggers: write some perl using vim
Yes, analyzing the code would be a possible option. For example Zope does it, see here for a description how it works:
http://zopewiki.org/PythonScript
and here for the code:
http://svn.zope.org/Zope3/trunk/src/RestrictedPython/
Doing the same in Wesnoth (probably could use the above code, if license permits) would make it safe to store Python code on the campaign server. At least, it should then make it easier for a hacker to find an explitable flaw in the C++ code or in WML than in a Python AI
Anyway, I think the current solution also works well enough, it's how modules work in many other programs. But if you feel like trying the restricted stuff, it would be great of course.
http://zopewiki.org/PythonScript
and here for the code:
http://svn.zope.org/Zope3/trunk/src/RestrictedPython/
Doing the same in Wesnoth (probably could use the above code, if license permits) would make it safe to store Python code on the campaign server. At least, it should then make it easier for a hacker to find an explitable flaw in the C++ code or in WML than in a Python AI
Anyway, I think the current solution also works well enough, it's how modules work in many other programs. But if you feel like trying the restricted stuff, it would be great of course.