[Rd] Advice on parsing / overriding function calls

hadley wickham h.wickham at gmail.com
Thu Aug 16 14:50:42 CEST 2007

What are you trying to defend against?  A serious attacker could still
use rm/assign/get/eval/... to circumvent your replaced functions.  I
think it would be very difficult (if not impossible) to prevent this
from happening), especially if the user can load packages.


On 8/16/07, Michael Cassin <michael at cassin.name> wrote:
> Hi,
> I am trying to tighten file I/O security on a process that passes a
> user-supplied script to R CMD Batch.  Broadly speaking, I'd like to restrict
> I/O to a designated path on the file system. Right now, I'm trying to
> address this in the R environment by forcing the script to use modified
> versions of scan, read.table, sys.load.image, etc.
> I can run a replace string on the user-supplied script so that, for example,
> "scan(" is replaced by "safe.scan("
> e.g.
> > SafePath <- function(file)
> {fp<-strsplit(file,"/");paste("safepath",fp[[1]][length(fp[[1]])],sep="/")}
> > SafePath("/etc/passwd")
> [1] "safepath/passwd"
> >  Safe.scan <- function(file, ...) scan(SafePath(file),...)
> > Safe.scan("/etc/passwd",what="",sep="\n")
> Error in file(file, "r") : unable to open connection
> In addition: Warning message:
> cannot open file 'safepath/passwd', reason 'No such file or directory'
> I'd appreciate any critique of this approach.  Is there something more
> effective or elegant?
> Regards,
> Mike
>         [[alternative HTML version deleted]]
> ______________________________________________
> R-devel at r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-devel


More information about the R-devel mailing list