On Wed, Oct 04, 2023 at 06:00:24PM +0200, Lorenz (xha) wrote:
...
>on second thought, it's probably a good idea to not use a shell script
>but instead something like a simple lua or python script that exec's
>tog.
>
>it's nice to have some sort of overview if you just want to look into
>what the repository contains.
>
>so the question is just, is it really safe, just from the perspective of
>tog(1), to provide something like this to the outside world?
>
>i have looked into the code of tog and as far as i understand, this
>should be fine?

Are denial of service attacks a concern? I wonder if tog's blame 
view could get expensive in some old repos. And you could run out 
of ptys.

Another concern I would have is: what if tog gains new features, 
like a way to switch repos after tog starts (bypassing your filter), 
or to make changes to the repo? I haven't read anywhere that tog is 
designed to be exposed to untrusted users. (Maybe tog's authors can 
reassure you about that, though.)

In general, ssh and unix logins are complicated and I personally 
would worry that I'd be missing some attack vector, like maybe an 
attacker can set an environment variable in a clever way. I have 
been thinking about deploying gotd, but will carefully read the 
advice in the gotsh(1) manual page if I do.

-- 
James