crazy.r

f <- function() {
    c <- match.call()
    c[[1]] <- as.name("get")
    c[[2]] <- "get"
    c
    as.function(c(alist(), c))
}
f()()("x")

f <- function() {
    c <- match.call()
    c[[1]] <- as.name("get")
    c[[2]] <- "get"
    
    body(f) <- c
    f
}
f()()("x")

Thanks @hadley, I got some useful ideas again based on your post.

But unfortunatelly get is a filtered function in sandboxR for safety reasons - till I get some time to remove this restriction and check what is geted.

Just try it out: http://sandboxr.no-ip.org/ :)

I was trying to demonstrate the many ways of calling get that your filtering doesn't detect. You could either use that to get any arbitrary function, or once you have get, use it to get any other unfiltered function. Hadley

On Wed, Apr 4, 2012 at 4:56 PM, Gergely Daróczi ***@***.*** wrote: Thanks @hadley, I got some useful ideas again based on your post. But unfortunatelly `get` is a filtered function in `sandboxR` for safety reasons - till I get some time to remove this restriction and check what is `get`ed. Just try it out: http://sandboxr.no-ip.org/ :) --- Reply to this email directly or view it on GitHub: https://gist.github.com/2305356

## Assistant Professor / Dobelman Family Junior Chair Department of Statistics / Rice University http://had.co.nz/

Yes, there were "some" ways of calling get not identified by the filtering rules.

I have improved the filter plus implemented your great idea of running commands in a sandboxed environment just to be sure. I hope the sandbox is getting quite mighty now, I have to think about removing some of the needless (but too restrictive) regexp checks.

In short: thanks again! And please try to hack my server with the hardened rules.

Something doesn't seem quite right with your modified get function: x <- 1 get("x") -> object 'x' not found

On Wed, Apr 4, 2012 at 6:46 PM, Gergely Daróczi ***@***.*** wrote: Yes, there were "some" ways of calling `get` not identified by the filtering rules. I have improved the filter plus implemented your great idea of running commands in a sandboxed environment just to be sure. I hope the sandbox is getting quite mighty now, I have to think about removing some of the needless (but too restrictive) regexp checks. In short: thanks again! And please try to hack my server with the hardened rules. --- Reply to this email directly or view it on GitHub: https://gist.github.com/2305356

## Assistant Professor / Dobelman Family Junior Chair Department of Statistics / Rice University http://had.co.nz/

You are right, sorry for the trouble and thanks!
I've pushed a quickfix, and should work now. But after Easter passed I would really start to (re)work the current approach, which could not lead to such buggy issues. I have some ideas to test before.

I have extended my testfile and it seems that those nasty bugs are gone now.
Besides that I could redesign the filtering mechanism and made it a lot simpler (with a not so neat hack of modifying formula.character) which seems to make its job ATM. Your really appreciated feedback is still really welcomed!