diff options
| author | Kaz Kylheku <kaz@kylheku.com> | 2017-03-18 08:39:34 -0700 |
|---|---|---|
| committer | Kaz Kylheku <kaz@kylheku.com> | 2017-03-18 08:39:34 -0700 |
| commit | 7d5d3b930648483e79cfb911f4843d2215d1058d (patch) | |
| tree | 2fe70a40d72a6e69148de4d1040dad31c7ba374e /txr.1 | |
| parent | 03eb076fdeb10974dcadfd2cabfc51faa4770416 (diff) | |
| download | txr-7d5d3b930648483e79cfb911f4843d2215d1058d.tar.gz txr-7d5d3b930648483e79cfb911f4843d2215d1058d.tar.bz2 txr-7d5d3b930648483e79cfb911f4843d2215d1058d.zip | |
Restore package and package alist in handlers.
When setting up a handler frame, we note down the current
package alist and package in the frame. Then when invoking the
handler, we rebind the *package* and *package-alist* special
variables.
This is a needed security measure for sandboxing. Since
handlers do not unwind (and therefore do not restore special
variables) a handler in sandboxed code could catch an
exception from non-sandboxed code that has changed *package*
or *package-alist*, and take advantage of those changed
values to escape from the sandbox.
* unwind.c (uw_push_handler): Store current package and
package-alist into new fields in the handler frame.
(invoke_handler): Set up a new dynamic environment and
bind *package* and *package-alist* around the handler
call, to the values noted in the frame. Thus the handler
executes with whatever package context was current when
the handler was established.
* unwind.h (struct uw_handler): New members, package and
package_alist.
* txr.1: Add paragraph to Exception Handling about this
issue.
Diffstat (limited to 'txr.1')
| -rw-r--r-- | txr.1 | 28 |
1 files changed, 28 insertions, 0 deletions
@@ -33724,6 +33724,34 @@ to the outermost. When an eligible handle is encountered, it is called. If it returns, the search continues. When an eligible catch is encountered, the search stops and a control transfer takes place to the catch site. +.NP* Handlers and Sandboxing + +Because handlers execute in the dynamic context of the exception origin, +without any unwinding having taken place, they expose a potential route +of sandbox escape via the package system, unless special steps are taken. +The threat is that code at the handler site could take advantage of +the current value of the +.code *package* +and +.code *package-list* +variables established at the exception throw site to gain inappropriate access +to symbols. + +For this reason, when a handler is established, the current values of +.code *package* +and +.code *package-list* +are recorded into the handler frame. +When that handler is later invoked, it executes in a dynamic environment +in which those variables are bound to the previously noted values. + +The catch mechanism doesn't do any such thing because the unwinding +which is performed prior to the invocation of a catch implicitly +restores the values of +.B all +special variables to the values they had at the time the frame was +established. + .NP* Exception Type Hierarchy Exception type symbols are arranged |