Re: Security considerations in Mathematica&J/Link
- To: mathgroup at smc.vnet.net
- Subject: [mg25102] Re: Security considerations in Mathematica&J/Link
- From: Jens-Peer Kuska <kuska at informatik.uni-leipzig.de>
- Date: Sun, 10 Sep 2000 03:14:27 -0400 (EDT)
- Organization: Universitaet Leipzig
- References: <8p9l1l$1uu@smc.vnet.net>
- Sender: owner-wri-mathgroup at wolfram.com
Hi, a) putting a Mathematica interface on the www will probably violate our license conditions b) AFIK Wolfram offer a special "secure kernel" for www scripting c) you can Remove[DeleteFile] ... and all the things that are dangerous when the kernel starts d) Mathematica has no bugs -- it is called "special feature" Regards Jens Murphy wrote: > > yo group (& especially Todd Gayley), > > I am trying to write something of a Mathematica FrontEnd for the Web using > J/Link & Servlets; > > the problem is the security; > by allowing the user to evaluate arbitrary expressions, I'm opening a HUGE > backdoor in the website; > > there have been discussions in my company that the feature set should be > reduced to simply allowing the > user to enter the function in a plot expression & also checking for eg. > Filesystem and equally dangerous > functions; > > but you can restrict as much as you want, potential crackers will always > find a way; > whether its by placing a pure function somewhere that somehow calls a > dangerous function > or by using a more indirect way like BufferOverflows or exploiting one of > the numerous Mathematica bugs; > > my questions are: > - does anyone have any experience with something like that? > > - to Todd Gayley: have you considered security for mathematica or J/Link? > since WRI is trying to place J/Link as a tool for web applications > (according to the website), > that might be one of the things to do; > (of course I know that J/Link is only a Layer on top of mathematica & so > can't really do much about > security by itself, but since you're a Java programmer I thought you > might have some ideas/thoughts in > this direction); > > thanx in advance, > murphee > >