From X2Go-ML-1@baur-itcs.de Mon May 4 18:40:37 2020 Received: (at 1465) by bugs.x2go.org; 4 May 2020 16:40:40 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=3.0 tests=BAYES_00,RCVD_IN_MSPIKE_H2, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.17.13]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id D47205DAC1 for <1465@bugs.x2go.org>; Mon, 4 May 2020 18:40:36 +0200 (CEST) Received: from [192.168.0.15] ([78.43.58.112]) by mrelayeu.kundenserver.de (mreue109 [212.227.15.145]) with ESMTPSA (Nemesis) id 1N8onQ-1j2cHS22fG-015pzm for <1465@bugs.x2go.org>; Mon, 04 May 2020 18:40:36 +0200 Subject: Re: [X2Go-Dev] Bug#1465: Bug#1465: Bug#1465: Bug#1465: Bug#1465: Allow running with restricted shell (rbash), or limit applications that can be run. To: 1465@bugs.x2go.org References: <2807081.Gr0nKVqjWH@hex> <3d0ec19b-9273-4db0-2363-6ff18a4ebc00@baur-itcs.de> <2807081.Gr0nKVqjWH@hex> <1869583.Jh6TSF2MMF@hex> From: Stefan Baur Autocrypt: addr=X2Go-ML-1@baur-itcs.de; prefer-encrypt=mutual; keydata= xsBNBFLfOiwBCACzIiDVwWVRvuMzgSAvXRFRaPaZOSB8s84PG1oGLfmqhwzF44vj1Xv4tcKD mvu0TsLTksOkvop8WwGYeeU8lDaxEG1zyN8SOu1WU/FPEKw2jITRox8yIrSkUsMkWYuxdjv/ 9XcAh9qaPsHP7E1jD6/wVZuYZkuX6W41Nxt06VsvDGCfrbQh4ya7w1IiSnoQeIHNNQVN9f3j xcHLj5S5YriSCThtbFCdr3AJXfF5iMolu8kLgAXM0bH1C7PxAjM/pQjWmdMVN/Y+uXXzcMO8 8aQ0f0q3QeGWxCAP2xwBapUfP6LHDRPp/tV7P7ji8wKlabrSGdv0M9Qd9pn/YCYQE0ZdABEB AAHNJlN0ZWZhbiBCYXVyIDxwb3N0bWFzdGVyQHN0ZWZhbmJhdXIuZGU+wsCCBBMBAgAsAhsj BwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4ACGQEFAlwtWmgFCRK0IbcACgkQbt30GM2+URkj nwgAixhVoMxijCsh9jxxCUYBj7lC5HYhJmlAB+bZOfl1XI8xqMLw8YGECfu0VSe++FlaOAuc gArofqu79E2+wKxPaqW2lC94eKR1+kgkDOJyqckYj2Xmyi+vDfrOWjbyawIwiq5FUW2CB6zv nkTr68ZQ43mAVC1zz2tpAikn2Af4/OdHwUBzSAOpUt4rDbXDe93WW34XuyG2RDma6kE1Cr0u ilqvzKOz5SYp5ASmCyaA0wCzs7fjTy2KuMlOCSFRzwPJpzddr8rS9ZiTLdia/BZvShBEjOq4 MZHWYv+RGK5RB4eDzw0KbPszXRJBUdXiZIcI0jqbC57Ht64ok3lXquXp987ATQRS3zosAQgA 4KPXmGU1XE8CTRJ/4m/f8MTri3JfEvGJTerWwC2hBuXHGWrSBmmRNAdJHzNTvq5IoR9tQ6Cb Nrqxf6alr/v34Vr2bUg0s+jlK9TWOkVLAFoz6zytm/2BrRBIZ5So6Ymfc6efwsScsHOI++wi pzqELkpluqtXysb13RsBVLxBdp5TZCVPjCc9pLWjudfjEagQt2oJgtO2WndasrKvoZYkfRi6 oSCK9B84YjNJoRF00LdK3n7K3SBvj4UPSl+ygzLVaD+3ZdIlbhX+bfn/Vp/10xdJ+/U8Fr7l 7umrBKr17D8eO3mRYMGY9w1qc+pfNGOR76GIbPWj2tPVaBD9nmUaowARAQABwsBlBBgBAgAP AhsMBQJcLVqtBQkStCH9AAoJEG7d9BjNvlEZInkIAIcchwZxurIpwJJR8qMMXD+RSvj7mY55 VIXOKUX0uAUTEoJTzFcqbdGkzcJB9y0NlUo9dv4chPT21M61y0bjJjhaDUshCLa1+YyFSSWp GBOKrLIsWusqC9zVwgf7TtjVmXt23jZwoDWjXoMlg9eQONMi5Z4u+lDOyPKD+lGJAcjJkQsI zL9hha3vuhmUclxgdALTJWzQBp+Y7u9QDub4uqf/TyuDpYASiP0winBRfTug+XjP5YZjU//P 07H9WhiUCsHp6L9j3QzvrovVy2zz0j7JhyhW3e957vHz2skkSVv3QGtHMswcgK3XaQ9YdgWO ELHmBhevaIcJIxDvTBl3pYQ= Message-ID: Date: Mon, 4 May 2020 18:40:36 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0 MIME-Version: 1.0 In-Reply-To: <1869583.Jh6TSF2MMF@hex> Content-Type: text/plain; charset=utf-8 Content-Language: de-DE Content-Transfer-Encoding: 8bit X-Provags-ID: V03:K1:Curli2ov2Sdu+4O/L21mvWYjLZzfVJcBCcqIysZXGzT0e/IIo+7 2OMyZqAydNjx5ZWfIzh6Y3T02GfYrVDcVsR0ypVqIOBSJKq9KjAoSQrySL1FdMVnFGE6/Rf Qoe7Dz/e+ao/BgChsOyxocqp1McJ9j6d4xb1CkyEplDiONYa+NWtCJ+7jla+iU31RoVQ9kD C1BTIG8I96Dmq3DekWB4A== X-UI-Out-Filterresults: notjunk:1;V03:K0:+lhty0W6vN8=:7Yzc74l2Kg4DKcxkFACBHp j7S9WySNP0dbIvqI8kfKfRT90SwRZ4onpeADxkZGn+SwJ6sr1ledKhUzxfDgpBxOO25UDCV3c 88NsyUeUoV1pUOTkbBd7JjQnIxhWFF71KYLhEwudwLhuGjIREHy3vJa0v3Vcu+V8JYVxB2+b5 p5e/S7NBMe9Y6j2lqkoeEAHo1jqdQpxFNL3iWqG8K+azsPuW+/eBzbdp7pR8xwN852ntYxgSO muVL/g7FGToQrdwDPUv8wR/D+SwEy6BJi4QFB56YF2LP38XroF6N/AoSGhJ9IywH3L0aVUjsS X0iQadVMHrNZ2JRZtG1rNh3e6F97AXUDykbOe2wysiDW7XP/545xKQh99m7cm+mA14dcoyAw4 L4TZ5UILRots3iznibk1j/x1iDDDwZv87L4Nf5YtvFcx3Vn3Cgc8d3kaHKOdcfXi3Q1QZ584R ztiRkqihuD+bqCc1nr4dGnkuxfwue9EUipjbQbGdxIo7Dn4FaBhtpCm3J+R1e78f1qo+fIRuF NqgBxd3d118kYxR6ZOc8TBJdxd2gVphcdUc9cPXSMYeDYZ3JNITyWMNLWjX8QAd8Dj3FUGnD8 u+aPAY6IaxiLYVEg7ncaqfDF14HZPA47Ch1//1YJ+ST7Rv2YDKlHRlgajb6GuTz149TF0fgHW CmriMrafmK8MiX2A9yTPD9uFlX6U637LlubbaoOybajIcYwdsMELt08hw/AChXqPb16KjpECP DkdTpEweT5l0vTVg6s5w0TpFmdfXeF8AuNs5RcOVG9iXfBNvFfpy2hUI4kOhiz0hSoShD4aQF N4N+c/R60qnmMf9Ct6DN8KN5QjxScgmadUkEM71jEY1PK9Hqn6JuI2g3LByj54z/KkD07kE Am 04.05.20 um 18:00 schrieb Vladislav Kurz: > I know that redesigning the whole calculation as web application would be much > better. But if protection against 80% of users can be done with 20% effort, I > would do it. You say that 100 % protection is not possible, so there is no > reason to do anything... As previously explained, there is probably no need to code the whole application as a web app. All you need should need, in my opinion, is a frontend (GUI+X2Go, or Web, doesn't matter), proper input sanitizing, and libreoffice in headless mode. *.ods files are ZIP archives, so you can unzip them like so: unzip samplecalc.ods Archive: samplecalc.ods extracting: mimetype extracting: Thumbnails/thumbnail.png creating: Configurations2/accelerator/ creating: Configurations2/popupmenu/ creating: Configurations2/toolpanel/ creating: Configurations2/menubar/ creating: Configurations2/images/Bitmaps/ creating: Configurations2/toolbar/ creating: Configurations2/floater/ creating: Configurations2/statusbar/ creating: Configurations2/progressbar/ inflating: content.xml inflating: meta.xml inflating: styles.xml inflating: manifest.rdf inflating: settings.xml inflating: META-INF/manifest.xml You would then use xmlstarlet to modify the fields in content.xml. Or even simpler (but dirty), put some unique placeholders there and use sed to replace them with your sanitized user-provided values. Zip it all back together, and run: soffice --convert-to pdf samplecalc.ods --headless This gives you a samplecalc.pdf that you can open in a PDF viewer or web browser. Or you could provide your users with a template *.ods with identical fields, but lacking the formulas. Have them fill out the fields in their "dumb" copy, then read the field contents into your template and provide them with the output. Either as PDF or as *.ods again - with the value fields, but lacking the formulas again. No need to rape X2Go code for this. In fact, it's probably safer and saner to run all this on a web server. -Stefan -- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243