[Haskell-cafe] GHC 7.0.1 developer challenges

John D. Ramsdell ramsdell0 at gmail.com
Thu Nov 25 14:44:33 CET 2010

On Thu, Nov 25, 2010 at 6:07 AM, Nils Anders Danielsson
<nad at cs.nott.ac.uk> wrote:

> Is CPSA intended to be run by untrusted users (for instance with the
> setuid bit set)?
> http://hackage.haskell.org/trac/ghc/ticket/3910
> http://www.amateurtopologist.com/2010/04/23/security-vulnerability-in-haskell-with-cgi/

Ah.  This is the flaw that prompted the change.  Interesting, for you
see the src directory of the CPSA distribution includes scripts to run
the suite of CPSA programs by a CGI script written in Python.   The
purpose of this mode of operation is to allow people to use CPSA
without installing any software on their machine, except a standards
compliant browser if they're on Windows.  The CGI script is not
security hardened, and only used on friendly, closed systems.  But a
key part of the setup is to bound the memory used by CPSA, and limit
the number of copies running to one.  The memory limit was set after a
new user submitted a CPSA problem to the web server that consumed all
the memory on the machine running the web server.  The web server was
running on the desktop machine I was using, so I knew instantly what
had happened.  I kicked myself because I already had learned to limit
memory when invoking CPSA from the command line.


More information about the Haskell-Cafe mailing list