Author Topic: How to execute console commands from wizard?  (Read 6928 times)

Offline writser

  • Single posting newcomer
  • *
  • Posts: 3
How to execute console commands from wizard?
« on: October 22, 2006, 06:14:58 pm »
I just downloaded and installed Code::Blocks and so far I'm pretty impressed. I'm currently trying to write a gtk+ / gtkmm wizard to make it even better. While doing this I stumbled on a small problem. If I use `pkg-config` to setup my project, everything works like a charm. Which is terrific. However, since the include directories are not added to the project, I have no code completion. And that is unfortunately the thing I like best about Code::Blocks!

So, there is my problem. I somehow want to add the individual include directories and libraries given by pkg-config to my project. Somewhere else on the forum someone suggested to add a feature to Code::Blocks: "include output of console program". This is a possible solution, but, in my opinion, not very useful. First of all it's uses are very limited (I can only think of pkg-config) and second: it is not very flexible. Say I want to remove one library from the list? Or if pkg-config returns an error?

After some thinking I came up with the following solution. I should be able to run pkg-config IN my wizard script and store the output in a local string. Then I can extract all libraries and include directories in the wizard! If I can run console applications in my scripts, I could also use grep and sed to extract the libraries in an even easier way. I can parse the output from pkg-config to do error detection, check versions etc. etc. I'm sure there would be more uses for it. I read the Squirrel documentation and found out about the function "exec" in the standard library. This function is supposed to do exactly what I want but:

1. How do I get the output of the console command?
2. I can't include this function in my scripts. Do I have no access to the standard squirrel library?

I'm new to Code::Blocks and squirrel, so don't flame me too hard if everything I want is already possible. If this is not possible yet, please share any insights with me. Would it be useful to execute console commands from within scripts? If so, what would be the best way to do so? Is there a better way to solve my issue?

I also think I found a small issue with the wizard: http://developer.berlios.de/bugs/?func=detailbug&bug_id=9233&group_id=5358

Offline thomas

  • Administrator
  • Lives here!
  • *****
  • Posts: 3979
Re: How to execute console commands from wizard?
« Reply #1 on: October 22, 2006, 07:26:15 pm »
Hmm... I am unaware of any exec() function in squirrel, and could neither find it in the 2.1 Reference Manual nor the 2.1 Standard Library Manual... where did you find that function?
I don't think what you want to do is possible at all(although I have to admit that I don't know for sure).

Executing external programs from within scripts generally should not be possible.
Unless someone errornously added them, scripts should not have any hooks to modify the file system or executable external programs, as that may be a security risk.
"We should forget about small efficiencies, say about 97% of the time: Premature quotation is the root of public humiliation."

Offline writser

  • Single posting newcomer
  • *
  • Posts: 3
Re: How to execute console commands from wizard?
« Reply #2 on: October 22, 2006, 07:42:01 pm »
The exec-function is described here: http://squirrel-lang.org/doc/sqstdlib2.html#d0e1925. However, it does say nothing about any output generated by the executed command. I agree that executing programs could cause security risks. But, do you see any other solution for my problem then? Currently I manually added the output from pkg-config to my script. Unfortunately this is not portable at all. And, as I stated above, adding `pkg-config ...` to a project is not very flexible either. I'm looking forward to your opinion.

Offline mandrav

  • Project Leader
  • Administrator
  • Lives here!
  • *****
  • Posts: 4291
    • Code::Blocks IDE
Re: How to execute console commands from wizard?
« Reply #3 on: October 22, 2006, 08:22:58 pm »
The squirrel standard library is consciously not enabled, for security reasons.
Although I 'm the one who did this, I doubt we gained any security at all though :roll: ...
Be patient!
This bug will be fixed soon...

Offline Game_Ender

  • Lives here!
  • ****
  • Posts: 551
Re: How to execute console commands from wizard?
« Reply #4 on: October 22, 2006, 08:28:39 pm »
While pkg-config in the final build options is not best for CodeCompletion its the best solution for portability there is.  Just taking the output of pkg-config during the wizard phase makes the wizard portable but the not the resulting project file.  So I think the solution is to find a way for CodeCompletion to parse the output of pkg-config for include paths.  Tools like pkg-config are common place (see wx-config) so its not an unusual request.

Keeping the scripts sandbox only protects the user if they run untrusted wizards/configuration scripts and if the script can't already do something nasty through the CB sdk API.

Offline writser

  • Single posting newcomer
  • *
  • Posts: 3
Re: How to execute console commands from wizard?
« Reply #5 on: October 22, 2006, 08:55:16 pm »
While pkg-config in the final build options is not best for CodeCompletion its the best solution for portability there is.  Just taking the output of pkg-config during the wizard phase makes the wizard portable but the not the resulting project file.  So I think the solution is to find a way for CodeCompletion to parse the output of pkg-config for include paths.  Tools like pkg-config are common place (see wx-config) so its not an unusual request.

Keeping the scripts sandbox only protects the user if they run untrusted wizards/configuration scripts and if the script can't already do something nasty through the CB sdk API.

I agree this is the best method. But it is also harder to implement. And is it really that evil to allow scripts to access the console? I mean, it's a 'script', right? Not a plain textfile. If a user downloads an evil script from an evil website, is it our responsibility to stop that script from doing harm? And any 3rd party compiled plugin could do the same. Should they be restricted too? I don't know. In any case, adding support for pkg-config and friends is really something I would like to see in Code::Blocks. I don't know any other IDE with this feature and it would be really useful.

Offline takeshi miya

  • Lives here!
  • ****
  • Posts: 1487
Re: How to execute console commands from wizard?
« Reply #6 on: October 22, 2006, 11:04:49 pm »
I'm 300% with Game_ender, pkg-config the best solution for portability, it's easy to implement.

For example, I've used both wx-config and pkg-config for both Windows and Linux for the C::B plugins wizard

See here cbpluginwizard.patch and codeblocks.pc.

And about CodeCompletion, the best fix is the Game_ender solution's.

Offline workwind

  • Single posting newcomer
  • *
  • Posts: 8
Re: How to execute console commands from wizard?
« Reply #7 on: October 23, 2006, 12:18:30 am »
I agree this is the best method. But it is also harder to implement. And is it really that evil to allow scripts to access the console? I mean, it's a 'script', right? Not a plain textfile. If a user downloads an evil script from an evil website, is it our responsibility to stop that script from doing harm? And any 3rd party compiled plugin could do the same. Should they be restricted too? I don't know. In any case, adding support for pkg-config and friends is really something I would like to see in Code::Blocks. I don't know any other IDE with this feature and it would be really useful.
That's right! I don't think that security is an issue here: At the moment it would be possible for a sqirrel script to add a new project with a custom Makefile, place some evil code in the file, and invoke the build process....

Offline thomas

  • Administrator
  • Lives here!
  • *****
  • Posts: 3979
Re: How to execute console commands from wizard?
« Reply #8 on: October 23, 2006, 09:08:50 am »
Quote
The exec-function is described here: http://squirrel-lang.org/doc/sqstdlib2.html#d0e1925.
Ah, though it's called system, I must be blind for not having found that. Thanks :)

Quote
Although I 'm the one who did this, I doubt we gained any security at all
It is the only sensible thing to do, though.

Scripts are not only embeddable in wizards, but also in other places (for example project files). People are not necessarily aware of this, neither do antivirus packages necessarily scan project files (for example, I remember from back in the old days when I was foolish enough to use Nerfton, the default setting would only scan a small subset of files).
It is also unclear inhowfar the mighty heuristic algorithms found in today's virus scanners are able to scan scripts for unknown malicious code at all (in particular squirrel, which is probably not even considered being "code" by most). I'd rather believe they don't do much.

Given functions that can modify files, rename and move files and folders, and execute external programs, scripts are quite a dangerous tool. Embedded scripts are a necessary evil, but they should be as safe as can be. Even then we can never be 100% sure that there is no exploit, but we have done what we can.

While it is true that a plugin could do all of that (and more) too, it is a much more obvious threat. Every user is probably aware of this possibility, and can decide whether or not to take that risk (or could read the sources and recompile the plugin from source).
It is true, too, that I can always ship a makefile that contains a rm /* or some other evil stuff. However, one thing being insecure does not justify making another thing insecure, too (actually I am thinking right now whether it may be a good idea to allow turning off custom makefiles entirely, since most people don't use them anyway).

From a user's point of view, knowing that scripts can be embedded in so many subsystems and a script is able to damage my system or install malware would be a good reason to stop using Code::Blocks for me.
I refuse to look at Word and PowerPoint documents that people send to me for the same reason, even if it's people that I have known for 10 years.

Quote
If a user downloads an evil script from an evil website, is it our responsibility to stop that script from doing harm?
Do you work for Microsoft?  :lol:
Just wondering... sounds like IE's standard mode of operation ;)
"We should forget about small efficiencies, say about 97% of the time: Premature quotation is the root of public humiliation."

Offline takeshi miya

  • Lives here!
  • ****
  • Posts: 1487
Re: How to execute console commands from wizard?
« Reply #9 on: October 23, 2006, 10:02:34 am »
About the security stuff...
It really depends on which side of the balance you are, sandboxed scripts vs. powerful scripts.

For example Squirrel Shell gives access to run programs, create folders, so it's on the powerful-scripts side.

How much malicious .vbs scripts have been made for Word and PowerPoint? A lot.
And how much have been made for Visual Studio? ...

A solution could be something like code signing (despite the source).

I really doubt specially power-users, administrators or developers like to be limited like regular users.

I would leave that to consumer-grade programs...

BTW, I was wanting to add the very useful bindings of Squirrel Shell to the C::B bindings, but if security is SUCH an issue, I guess this will need more discussion.


Now back on topic, writser, please make use of pkg-config directly, because it is tiresome to write different projects for different platforms where it is not necessary.

« Last Edit: October 23, 2006, 10:04:05 am by Takeshi Miya »

Offline workwind

  • Single posting newcomer
  • *
  • Posts: 8
Re: How to execute console commands from wizard?
« Reply #10 on: October 23, 2006, 08:48:05 pm »
While it is true that a plugin could do all of that (and more) too, it is a much more obvious threat. Every user is probably aware of this possibility, and can decide whether or not to take that risk (or could read the sources and recompile the plugin from source).
It is true, too, that I can always ship a makefile that contains a rm /* or some other evil stuff. However, one thing being insecure does not justify making another thing insecure, too (actually I am thinking right now whether it may be a good idea to allow turning off custom makefiles entirely, since most people don't use them anyway).
dering... sounds like IE's standard mode of operation ;)
Then you also have to drop support for building executables within Code::Blocks ;-)
The evil script just adds the file evil.cpp, builds the executable and executes it! There is no possibility to make a developement environment worm and virus save, because they are also programms. Every afford in this area will block other users who depend on these features to build their code. I need custom Makefiles, because I use Code::Blocks to build the code for an Atmel AVR microcontroller with my own, custom Makefile.
Quote
Quote
If a user downloads an evil script from an evil website, is it our responsibility to stop that script from doing harm?
Do you work for Microsoft?  :lol:
Just wondering... sounds like IE's standard mode of operation ;)
Linux does not stop you from doing everything possible from within a Makefile or the autoconf environment - is there any virus or worm distributing by Makefile or through autoconfig? You may even download bash scripts, running much better under Linux then under Windows ;-)