<div dir="ltr">Hi Glynn.<div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Mar 7, 2014 at 5:14 PM, Glynn Clements <span dir="ltr"><<a href="mailto:glynn@gclements.plus.com" target="_blank">glynn@gclements.plus.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5"><br>
Rashad M wrote:<br>
<br>
> I would like to check with grass-devs about the possibility of having a web<br>
> version of GRASS GIS as a part of SoC 2014. I had done some behind the<br>
> scenes work for web version using C++ web toolkit Wt[1]. This involves<br>
> running a grass modules online just like you do on Desktop with a UI that<br>
> resembles that of wxGUI. I had been in touch with one of my juniors in my<br>
> lab and he is interested to work on it. I could mentor this project as I<br>
> had experience with Wt, GRASS and GSoC. I hope this web version will be<br>
> very useful in both users and developers.<br>
><br>
> Comments and suggestions are most welcomed.<br>
<br>
</div></div>My main concern would be security.<br>
<br>
You will need to thoroughly sanitise all inputs. You cannot rely upon<br>
GRASS modules to do this, as e.g. most string handling uses fixed-size<br>
buffers, so you need to explicitly limit the length of any arguments<br>
to avoid the possibility of buffer overruns.<br>
<br></blockquote><div><br></div><div>I am not clear with this. maybe security and web apps are creating me a confusion.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
None of this is an issue for normal use, as "exploiting" GRASS modules<br>
doesn't gain a user any access which they don't already have. But for<br>
a web application, allowing a user to run GRASS modules with arbitrary<br>
inputs amounts to giving them shell access.<br></blockquote><div><br></div><div>Regarding shell accees we are thinking IPython. and massimo had experience in using with GRASS. We are exploring its integration with Wt </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
You might even want to create an actual Unix account for each user, so<br>
that any failures regarding input sanitisation are contained. However,<br>
this would require something like suExec or servlets.<br></blockquote><div><br></div><div>I thought of having a user account setup and the "shell" on web ui won't allow to navigate around any folder</div><div>
<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Glynn Clements <<a href="mailto:glynn@gclements.plus.com">glynn@gclements.plus.com</a>><br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><div><font face="arial, helvetica, sans-serif">Regards,<br> Rashad</font></div>
</div></div>