[Xmonad] darcs patch: fix potential hole in userCode.

Stefan O'Rear stefanor at cox.net
Fri Oct 12 23:15:52 EDT 2007 

On Fri, Oct 12, 2007 at 01:56:17PM -0400, David Roundy wrote:
> On Fri, Oct 12, 2007 at 10:32:48AM -0700, Don Stewart wrote:
> >     case s of
> >         Left  e -> mapM_ putStrLn e
> >         Right v -> Control.Exception.catch
> >             (putStrLn v)
> >             (\e -> Control.Exception.handle (const $ putStrLn "Exception") $ do
> >                         e' <- Control.Exception.evaluate e
> >                         putStrLn $ "Exception: " ++ take 1024 (show e'))
> > 
> > Right means there was no compile error. So we then show the value, forcing it.
> > Note that it can throw an exception whose thrown value is an exception.
> > 'evaluate' takes care of some of the work for us.

Lambdabot forks anyway, so all it really has to worry about is stopping
an output flood.

> That's interesting.  Although Config can be assumed to be less hostile than
> lambdabot users, we've got a slightly harder problem in catchX, since we
> know of no way to force the value (as showing it does for lambdabot).
> 
> Probably worrying about calls to (error (error "Gotcha!")) is beyond the
> scope of catchX, as we don't need to deal with malicious code, just buggy
> code, and I can't imagine how someone would accidentally do something like
> that.  Malicious people, of course, will just write bug-free code that
> deletes the user's home directory, which catchX can't prevent.
> 
> Of course, if IO were broken up into smaller monads, we could restrict code
> to not touch the filesystem if we wanted.  Or even better, if we had a
> really tricky monad, code could be restricted to only touch the
> ~/.xmonadcontrib/ directory...  :)

The main issue is:

modify (\x -> posionWithBottoms x)

That will not fail immediatly, but will cripple xmonad by causing all
commands that read the state to fail, including mod-q.  Your only choice
is to quit xmonad wholesale.

My proposal (shared, I believe, with sjanssen) is "fail early, fail
often, and force the people who commit bugs to wear imaginary dunce
caps".

Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://www.haskell.org/pipermail/xmonad/attachments/20071012/520c7b97/attachment.bin

More information about the Xmonad mailing list