MaximaPHP --------- Version: 0.1.3 April 21, 2007 -------------- -------------- Security Notes -------------- MaximaPHP currently implements a several security measures to prevent user from accidentally sending some harmful commands to the server. These include: - wrap Maxima program with '_maxima_with_timeout_.pl' a perl script that launch Maxima program within a controlled timeout limit. - wrap TtM program with '_ttm_with_timeout_.pl' a perl script that launch TtM program within a controlled timeout limit. - filter out input blocker, that blocks any commands considered unsecure. Filter out mechanism checks the input for a blacklist of unsecure commands and rejects any one matched. This mechanism will do its job if we can guarantee that all unsecure commands is in the list. However, this is a difficult task. We may somehow fail to see that some commands is actually unsecure for many reasons. A class called MPSFilterOut is responsible to check the input and block any commands that are considered unsecure. The filter out measures implemented are - blocks unsecure Maxima keywords - blocks unsecure Maxima patterns - blocks unsecure Gnuplot keywords - blocks unsecure Gnuplot patterns These keywords and patterns that considered unsecure are obtained by checking the documentation of Maxima 5.11.0 as well as Gnuplot 4.2.0 NOTE: I cannot guarantee that all harmful keywords and patterns can be blocked. You may want to make sure by yourself that it is really secure by checking the Maxima and Gnuplot documentation thoroughly. Usage in production site ------------------------ MaximaPHP currently have only a filter out mechanism to block unsecure commands. However, some of unsecure commands may be not in the blacklist, and this may be exploited to break the server. I do not recommend you to use current release of MaximaPHP in a production site. If you insist to use MaximaPHP in production site, I recommend that you take additional security measures in the server side, such as: - use a 'jailed' environment to run Maxima, Gnuplot and TtM. see http://olivier.sessink.nl/jailkit/ --------------------------------------- if you have any questions please email bowo prasetyo praNzOjp at gSmaPil dAMot com (take NO SPAM for email address)