[Nexus] proposed additions to NXdata for non-linear scaling - to aid cbf interoperability

Wintersberger, Eugen eugen.wintersberger at desy.de
Tue Mar 18 12:43:25 GMT 2014


Hi folks 


> I'm rather sceptic to use Python eval syntax here.  Depending on
> details of the implementation it will give the creator of the NeXus
> file the ability to execute arbitrary code in the reader's machine
> using the reader's privileges.  

That's a good point.

> Using any NeXus client implmenting
> this feature one would need to be very carful to read NeXus files from
> trusted sources only.  This seem to spoil the purpose of NeXus to be a
> common data format to facilitate the cooperation in the scientific
> community.

In my opinion taking the security issue you have mentioned not into
account will distract people even more from Nexus. It is already hard to
convince them to use it now. However, the issue is not limited to
standard Nexus but virtually all file formats (including HDF5) which
included executable code (in particular in a Turing complete language). 
Remember PDF and JavaScript ......

> 
> It will be much easier to keep the impact on security issues under
> control if one uses a syntax that is by design strictly limited to
> mathematical expressions, such as muParser.

Most probably the best argument in favor of muParser I have heard so
far. 

regards
  Eugen

> 
> Rolf
> 
> _______________________________________________
> NeXus mailing list
> NeXus at nexusformat.org
> http://lists.nexusformat.org/mailman/listinfo/nexus

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: This is a digitally signed message part
URL: <http://lists.nexusformat.org/pipermail/nexus/attachments/20140318/f871eb55/attachment.sig>


More information about the NeXus mailing list