Monday, August 21, 2006

Securing Crunchy

Following my last post, some alert readers pointed out that Crunchy could be a security risk for its users. Crunchy acts as a web server, fetching html-based Python tutorials and displaying them in your browser with controls allowing to execute the Python code. This is meant as a good thing... but it might not be if the code is allowed to run automatically when the page is loaded. In fact, this might have occurred with previous (<0.7) Johannes and I changed the way that Crunchy works so as to remove any security worries - at least, we hope so. Anyone interested can obviously look at the code; for others, here's what we do:
  • Each time Crunchy starts, it generates a random session number (10 digit long).
  • The javascript code used to communicate between Crunchy and the browser is fetched from a static file and modified to include the unique session number as part of each command; a new javascript file, with a filename that incorporates the session number is generated.
  • When Crunchy fetches an html page, it processes it to remove unwanted code. This means removing all (java-)scripts and only allowing html tags that are on a "whitelist". This whitelist excludes any of the usual "onload", "oninit", etc., automatic execution.
  • Next, Crunchy interactive elements (Python interpreter, code editor, button for Python code execution, etc.) are inserted with the javascript calls, each call given a unique identifier for that session.
  • Finally, the processed page is displayed in the browser, with the server waiting for user-generated interactions.
  • This procedure is repeated for any page that is loaded during that session.
  • At the end of a session, when Crunchy is terminated, the javascript file that was generated and used in that session is deleted.
The latest version (0.7) includes this security features and many new additions [a complete list of the changes from version 0.6 is appended at the end of this message]. Currently, Johannes is working on adapting How to think like a computer scientist to use with Crunchy, as well adding new interactive features. For my part, I have been working on internationalisation issues (adding a French interface) and other configuration choices. Due to end-of-summer holidays, work on Crunchy will likely slow down for a few weeks at least but we should be able to reach version 1.0 early in the Fall.

After that, I will be ready to start implementing rur-ple inside the Crunchy environment; if there is enough interest, I might implement a turtle graphics module as well.

===== Changes from 0.6 to 0.7 ================
0. Name change
To prevent confusion with an existing program named CrunchyFrog, "Crunchy Frog" has been renamed as "Crunchy", short for "Crunchy, the Interactive Python Tutorial Maker".

1. *Security fix*
The previous versions of Crunchy allowed tutorials containing arbitrary (and hidden) javascript code to be loaded within a browser window. The new version removes any existing javascript code prior to processing for display within a browser.

Feel free to try and break this - and please report any findings back to us.

2. New functionality.
  • It is possible to run external programs from within the browser; sample demos include GUI programs with 1. Tkinter, 2. pyGtk, 3. wxPython, 4. Pygame
  • Automatic syntax colouring of (static) Python code, including (as an option) line numbering.
  • New plotting canvas with simple to use api to draw mathematical functions
  • Drawing & plotting canvas can be set to arbitrary size.
  • Multiple canvas can now appear on same page.
  • New addition and simplification to the sound api.
  • Simplification of error message (tracebacks) more suitable for beginners.
  • New plotting canvas with simple to use api to draw mathematical functions
  • Drawing & plotting canvas can be set to arbitrary size.
  • Multiple canvas can now appear on same page.
  • New addition and simplification to the sound api.
  • Simplification of error message (tracebacks) more suitable for beginners.
3. New visual design:
  • Integrated menu which can be styled through custom css
  • Three sample css styles now included (selectable via the browser menu)

4. New content:
  • First draft sound tutorial exploring concepts of frequency, beats, harmonics (Fourier series), etc.
  • New addition to the basic "Crunchy user" tutorial
  • Additions to all reference documentation (sound & graphics api, vlam options, etc.)

No comments: