sandboxing doIts

Avi Bryant avi at beta4.com
Thu Feb 20 23:42:16 UTC 2003


I'm playing with building some tools for interactive online tutorials
(sort of a GeeMailMorph in Seaside), in which I would ideally like users
to be able to edit certain methods from their web browser and see the
effects.  Obviously this is a security hole, but it seems like it ought to
be possible to restrict the compilation of the method so that it was safe.
Since being restrictive is the point here, and also since you can very
tightly control the context in which this method is called, it also seems
like the solution will be simpler than a full Islands or Squeak-E system.
Am I kidding myself?

Offhand, I think you'd want to:

- disable access to globals of any kind, and 'thisContext', so only 'self'
and self's instance variables are available
- disallow at least the symbols #become: and #perform: (and
#peform:with:, etc), and probably #fork and #newProcess
- disallow the bytecode that sends #class
- disallow primitives

What else?

Has anyone else thought about this?  Would anyone else find this useful?

Avi



More information about the Squeak-dev mailing list