[fpc-pascal] Remote FreePascal compile service, feedback requested

Tue Dec 6 01:04:24 CET 2005

Tom Verhoeff wrote:
[...]
> 
> I was thinking of adding a remote FreePascal service along the following
> lines.  You go to its web interface, browse for your source files
> (possibly a whole zip archive) on your local machine, enter command-line
> options, and let our server compile your stuff with a (selectable)
> version of fpc (under Linux), then you get back the results (possibly
> also in a zip archive).  Mabye we can support cross compiles as well.
> 

Great idea. I played a little and found two security issues :

1. Consider the following program, that let's the attacker know what's 
the default display manager on your system:

----------------
program get_file_contents;

const
   usr = 1;
   bin = 1;
   gdm = 10;
   xdm = 100;
   kdm = 1000;

const
   Marker = 1 {$I /etc/X11/default-display-manager};

begin
   Writeln(Marker);
end.
----------------

As you can see, this is achieved by using {$I ...} with an absolute 
path. This way I can include arbitrary file, and do some tricks (like 
above creating constants "usr", "bin" ... and then a constant "Marker" 
that has different value depending on your display manager). This way I 
can investigate various things about your system.

(Wow, it was fun creating this program :) )

Conclusion: be extra-careful about what people include with $I in their 
submitted programs. So you have to either scan source files, or maybe 
run within chroot. Or you must be sure that you don't have any sensitive 
information readable by fpc process on your system.

2. Another minor issue: using {$I %xxx%} feature submitter can get 
knowledge about environment variables on your system.

----------------
begin
   Writeln({$I %PATH%});
end.
----------------

This way I know what's the value of $PATH, as seen by fpc process.

Conclusion: don't put sensitive information inside your environment 
variables accessible to running fpc process.

Michalis