Security considerations in Mathematica&J/Link
- To: mathgroup at smc.vnet.net
- Subject: [mg25088] Security considerations in Mathematica&J/Link
- From: Murphy <werner.schuster at netway.at>
- Date: Thu, 7 Sep 2000 22:28:48 -0400 (EDT)
- Sender: owner-wri-mathgroup at wolfram.com
yo group (& especially Todd Gayley),
I am trying to write something of a Mathematica FrontEnd for the Web using
J/Link & Servlets;
the problem is the security;
by allowing the user to evaluate arbitrary expressions, I'm opening a HUGE
backdoor in the website;
there have been discussions in my company that the feature set should be
reduced to simply allowing the
user to enter the function in a plot expression & also checking for eg.
Filesystem and equally dangerous
functions;
but you can restrict as much as you want, potential crackers will always
find a way;
whether its by placing a pure function somewhere that somehow calls a
dangerous function
or by using a more indirect way like BufferOverflows or exploiting one of
the numerous Mathematica bugs;
my questions are:
- does anyone have any experience with something like that?
- to Todd Gayley: have you considered security for mathematica or J/Link?
since WRI is trying to place J/Link as a tool for web applications
(according to the website),
that might be one of the things to do;
(of course I know that J/Link is only a Layer on top of mathematica & so
can't really do much about
security by itself, but since you're a Java programmer I thought you
might have some ideas/thoughts in
this direction);
thanx in advance,
murphee