Remote FreePascal compile service, feedback requested

classic Classic list List threaded Threaded
26 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Remote FreePascal compile service, feedback requested

Tom Verhoeff
We (still) use FreePascal quite a bit in our first/second-year education,
in particular, in <PEACH.win.tue.nl>, our Programming Education And
Contest Hosting verification system.

I was thinking of adding a remote FreePascal service along the following
lines.  You go to its web interface, browse for your source files
(possibly a whole zip archive) on your local machine, enter command-line
options, and let our server compile your stuff with a (selectable)
version of fpc (under Linux), then you get back the results (possibly
also in a zip archive).  Mabye we can support cross compiles as well.

Why do this?  Because that way people can use/try FreePascal without
installing anything.

Furthermore, we plan to support several versions of FreePascal in
parallel.  That way, it may also be useful to the FreePascal community.
E.g. when diagnosing a problem.

Here are some questions:

  1.  Do you think this service would be useful?

  2.  Do you think the interface described above is good enough?
      Suggestions for refinements would be appreciated.

  3.  Are there any security risks that we may have overlooked?
      Of course, we will impose certain limitation to avoid resource
      hogging.  But maybe there are ways to put together a malicious
      source file that makes the compiler misbehave ...

  4.  Whatever else comes to your mind ...

Best regards,

        Tom Verhoeff
--
E-MAIL: T.Verhoeff @ TUE.NL     | Fac. of Math. & Computing Science
PHONE:  +31 40 247 41 25        | Eindhoven University of Technology
FAX:    +31 40 247 54 04        | PO Box 513, NL-5600 MB Eindhoven
http://www.win.tue.nl/~wstomv/  | The Netherlands
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: Remote FreePascal compile service, feedback requested

Michael Van Canneyt


On Mon, 5 Dec 2005, Tom Verhoeff wrote:

> We (still) use FreePascal quite a bit in our first/second-year education,
> in particular, in <PEACH.win.tue.nl>, our Programming Education And
> Contest Hosting verification system.
>
> I was thinking of adding a remote FreePascal service along the following
> lines.  You go to its web interface, browse for your source files
> (possibly a whole zip archive) on your local machine, enter command-line
> options, and let our server compile your stuff with a (selectable)
> version of fpc (under Linux), then you get back the results (possibly
> also in a zip archive).  Mabye we can support cross compiles as well.
>
> Why do this?  Because that way people can use/try FreePascal without
> installing anything.
>
> Furthermore, we plan to support several versions of FreePascal in
> parallel.  That way, it may also be useful to the FreePascal community.
> E.g. when diagnosing a problem.
>
> Here are some questions:
>
>  1.  Do you think this service would be useful?
>
>  2.  Do you think the interface described above is good enough?
>      Suggestions for refinements would be appreciated.
>
>  3.  Are there any security risks that we may have overlooked?
>      Of course, we will impose certain limitation to avoid resource
>      hogging.  But maybe there are ways to put together a malicious
>      source file that makes the compiler misbehave ...
>
>  4.  Whatever else comes to your mind ...

Don't make all distributed units available, and forbid the use of some
units. You don't want people opening an FTP socket and download 24G on
your machine.

Even then, people could create a unit that makes direct kernel calls, or
link to C. I would disallow use of the external keyword, {$L} and {$Linklib }
statements in sources. So you'll definitely need some preprocessing.

Michael.
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: Remote FreePascal compile service, feedback requested

Micha Nelissen
Michael Van Canneyt wrote:
>
> Don't make all distributed units available, and forbid the use of some
> units. You don't want people opening an FTP socket and download 24G on
> your machine.

I think it only compiles things, and does not execute them.

Micha

_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: Remote FreePascal compile service, feedback requested

Jonas Maebe-2
In reply to this post by Michael Van Canneyt

On 5 dec 2005, at 13:59, Michael Van Canneyt wrote:

> Don't make all distributed units available, and forbid the use of some
> units. You don't want people opening an FTP socket and download 24G on
> your machine.
>
> Even then, people could create a unit that makes direct kernel  
> calls, or
> link to C. I would disallow use of the external keyword, {$L} and  
> {$Linklib }
> statements in sources. So you'll definitely need some preprocessing.

He only wants to allow remote compiling, not remote running. He  
wonders whether the compiler contains security holes that could be  
triggered by feeding it illegal source code. The answer is that it is  
that the compiler still contains errors which can cause it to crash  
in some situations, so it may be possible for specially grafted  
source code to make the compiler do all sorts of naughty things. I  
have not yet seen any examples of this, however.


Jonas
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: Remote FreePascal compile service, feedback requested

Felipe Monteiro de Carvalho
In reply to this post by Tom Verhoeff
On 12/5/05, Tom Verhoeff <[hidden email]> wrote:
>   1.  Do you think this service would be useful?

Extremely useful! And a great idea. Things like that can be revolutionary.

>   2.  Do you think the interface described above is good enough?
>       Suggestions for refinements would be appreciated.

I work a lot with user interfaces, and as such, I beliave that this
kind of project can benifit greatly from a easy to use, intuitive,
good looking, but clean interface.

A few suggestions:

- Make a integrated help system. With very basic stuff about coding
pascal programs. An way to access the documentation for the Run-time
Library might also be nice.

- Output compiler messages, so you can see any problems witch might
have occured.

- Translate the page to other languages. I am even be willing to help.
I know php and xhtml well if help is needed creating the page.

--
Felipe Monteiro de Carvalho
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: Remote FreePascal compile service, feedback requested

Tony Pelton
In reply to this post by Tom Verhoeff
On 12/5/05, Tom Verhoeff <[hidden email]> wrote:
> Why do this?  Because that way people can use/try FreePascal without
> installing anything.

ah ...

installing really isn't too complicated currently.

download a tarball, expand it, and run the compiler ?

i can't imagine having to fiddle around with some webapp is going to
be any simpler than that.

> Mabye we can support cross compiles as well.

_this_ might actually be compelling.

i use FreePascal for developing plugins for a flight simulator for instance.

the flight simulator runs on windows, OSX and Linux, but i only have
access to windows and linux for compiling.

being able to cross compile to OSX would be cool.

there are others in the same community of people who use Delphi, that
i have been trying to hook into FreePascal who have the same problem.

being able to point them at a place to cross compile their Delphi
projects to non-windows platforms would be cool.

>
> Furthermore, we plan to support several versions of FreePascal in
> parallel.  That way, it may also be useful to the FreePascal community.
> E.g. when diagnosing a problem.

i suspect anyone who is "diagnosing" anything to this detail is going
to want to have their versions/tools locally so that can see what is
going on.

>
>         Tom Verhoeff

Tony
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: Remote FreePascal compile service, feedback requested

Marco van de Voort
In reply to this post by Tom Verhoeff
> Furthermore, we plan to support several versions of FreePascal in
> parallel.  That way, it may also be useful to the FreePascal community.
> E.g. when diagnosing a problem.
>
> Here are some questions:
>
>   1.  Do you think this service would be useful?

Yes. Also for us, since this allows users to evaluate compilation with
several versions. (e.g. last release, last known good snapshot, relative
recent (SVN) version  of each branch)
 
>   2.  Do you think the interface described above is good enough?
>       Suggestions for refinements would be appreciated.

As a design parameter, keep the possibility to use two or more builds of
the same version. This mainly for SVN versions.

>   3.  Are there any security risks that we may have overlooked?
>       Of course, we will impose certain limitation to avoid resource
>       hogging.  But maybe there are ways to put together a malicious
>       source file that makes the compiler misbehave ...

Make sure the mem limits are tight enough, and guard against a lot of
requests in rapid order. (some ratelimiting?)
 
The basic problem is user spawning processes that use tons of memory. Has
written "denial of service" written all over it with capital z.

Maybe there is some excuting possible via windres and via the linker call.
(those contain program execution, some of those might use shell; shell code
injection?)
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: Remote FreePascal compile service, feedback requested

Michael Van Canneyt
In reply to this post by Felipe Monteiro de Carvalho


On Mon, 5 Dec 2005, Felipe Monteiro de Carvalho wrote:

> On 12/5/05, Tom Verhoeff <[hidden email]> wrote:
>>   1.  Do you think this service would be useful?
>
> Extremely useful! And a great idea. Things like that can be revolutionary.
>
>>   2.  Do you think the interface described above is good enough?
>>       Suggestions for refinements would be appreciated.
>
> I work a lot with user interfaces, and as such, I beliave that this
> kind of project can benifit greatly from a easy to use, intuitive,
> good looking, but clean interface.
>
> A few suggestions:
>
> - Make a integrated help system. With very basic stuff about coding
> pascal programs. An way to access the documentation for the Run-time
> Library might also be nice.
>
> - Output compiler messages, so you can see any problems witch might
> have occured.
>
> - Translate the page to other languages. I am even be willing to help.
> I know php and xhtml well if help is needed creating the page.

I would also add the possibility to upload a zip file with some units.
Processing a single unit is not useful for evaluation, and having to
upload all units manually is tedious and error-prone.

Michael.
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: Remote FreePascal compile service, feedback requested

Jonas Maebe-2

On 5 dec 2005, at 16:54, Michael Van Canneyt wrote:

> I would also add the possibility to upload a zip file with some units.
> Processing a single unit is not useful for evaluation, and having to
> upload all units manually is tedious and error-prone.

 From the original mail:

***
I was thinking of adding a remote FreePascal service along the following
lines.  You go to its web interface, browse for your source files
(possibly a whole zip archive) on your local machine, enter command-line
options, and let our server compile your stuff with a (selectable)
version of fpc (under Linux), then you get back the results (possibly
also in a zip archive).  Mabye we can support cross compiles as well.
***


Jonas
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: Remote FreePascal compile service, feedback requested

Tom Verhoeff
In reply to this post by Micha Nelissen
On Mon, Dec 05, 2005 at 01:55:29PM +0100, Micha Nelissen wrote:
> Michael Van Canneyt wrote:
> >
> >Don't make all distributed units available, and forbid the use of some
> >units. You don't want people opening an FTP socket and download 24G on
> >your machine.
>
> I think it only compiles things, and does not execute them.

Correct.  It is compile only, without execution of the resulting binary.

        Tom
--
E-MAIL: T.Verhoeff @ TUE.NL     | Fac. of Math. & Computing Science
PHONE:  +31 40 247 41 25        | Eindhoven University of Technology
FAX:    +31 40 247 54 04        | PO Box 513, NL-5600 MB Eindhoven
http://www.win.tue.nl/~wstomv/  | The Netherlands
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: Remote FreePascal compile service, feedback requested

Tom Verhoeff
In reply to this post by Michael Van Canneyt
On Mon, Dec 05, 2005 at 04:54:25PM +0100, Michael Van Canneyt wrote:
>
> I would also add the possibility to upload a zip file with some units.
> Processing a single unit is not useful for evaluation, and having to
> upload all units manually is tedious and error-prone.

That is the intention (as indicated in my original message):

> ...     You go to its web interface, browse for your source files
> (possibly a whole zip archive) on your local machine, enter command-line
> options, ...

Thanks for all the useful comments,

        Tom
--
E-MAIL: T.Verhoeff @ TUE.NL     | Fac. of Math. & Computing Science
PHONE:  +31 40 247 41 25        | Eindhoven University of Technology
FAX:    +31 40 247 54 04        | PO Box 513, NL-5600 MB Eindhoven
http://www.win.tue.nl/~wstomv/  | The Netherlands
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: Remote FreePascal compile service, feedback requested

L505
In reply to this post by Tom Verhoeff
I made a browser based freepascal compiler to demonstrate something I call "Browser
Abuse Syndrome".  Along with a Tail utility Paul was interested in seeing, it is
doable. The bandwidth, though, is expensive.

_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: Remote FreePascal compile service, feedback requested

Michael Van Canneyt
In reply to this post by Jonas Maebe-2


On Mon, 5 Dec 2005, Jonas Maebe wrote:

>
> On 5 dec 2005, at 16:54, Michael Van Canneyt wrote:
>
> > I would also add the possibility to upload a zip file with some units.
> > Processing a single unit is not useful for evaluation, and having to
> > upload all units manually is tedious and error-prone.
>
> From the original mail:
>
> ***
> I was thinking of adding a remote FreePascal service along the following
> lines.  You go to its web interface, browse for your source files
> (possibly a whole zip archive) on your local machine, enter command-line
> options, and let our server compile your stuff with a (selectable)
> version of fpc (under Linux), then you get back the results (possibly
> also in a zip archive).  Mabye we can support cross compiles as well.
> ***

Hmmm.
The helpdesk was definitely bugging me too much today.
I should not try and remember FPC list threads when that happens...

My apologies :/

Michael.
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: Remote FreePascal compile service, feedback requested

L505
In reply to this post by Michael Van Canneyt
Also, a simple macro could end up in a neverending loop and bring down the server.
Lots of other ways to make a compiler go nuts.
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: Remote FreePascal compile service, feedback requested

Michael Van Canneyt


On Mon, 5 Dec 2005, L505 wrote:

> Also, a simple macro could end up in a neverending loop and bring down the server.
> Lots of other ways to make a compiler go nuts.

The Free Pascal compiler checks for recursive expansion. If it goes over 16, it stops.

In case you prove otherwise, of course, we have a bug...

Michael.
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: Remote FreePascal compile service, feedback requested

L505
In reply to this post by Jonas Maebe-2


> > Don't make all distributed units available, and forbid the use of some
> > units. You don't want people opening an FTP socket and download 24G on
> > your machine.
> >
> > Even then, people could create a unit that makes direct kernel  
> > calls, or
> > link to C. I would disallow use of the external keyword, {$L} and  
> > {$Linklib }
> > statements in sources. So you'll definitely need some preprocessing.
>
> He only wants to allow remote compiling, not remote running. He  
> wonders whether the compiler contains security holes that could be  
> triggered by feeding it illegal source code. The answer is that it is  
> that the compiler still contains errors which can cause it to crash  
> in some situations, so it may be possible for specially grafted  
> source code to make the compiler do all sorts of naughty things. I  
> have not yet seen any examples of this, however.
>

 - Macros, never ending loops...

 - Huge source files (copy and paste 6,000,000 lines into the edit box).

_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: Remote FreePascal compile service, feedback requested

Michael Van Canneyt


On Mon, 5 Dec 2005, L505 wrote:

>
>
> > > Don't make all distributed units available, and forbid the use of some
> > > units. You don't want people opening an FTP socket and download 24G on
> > > your machine.
> > >
> > > Even then, people could create a unit that makes direct kernel  
> > > calls, or
> > > link to C. I would disallow use of the external keyword, {$L} and  
> > > {$Linklib }
> > > statements in sources. So you'll definitely need some preprocessing.
> >
> > He only wants to allow remote compiling, not remote running. He  
> > wonders whether the compiler contains security holes that could be  
> > triggered by feeding it illegal source code. The answer is that it is  
> > that the compiler still contains errors which can cause it to crash  
> > in some situations, so it may be possible for specially grafted  
> > source code to make the compiler do all sorts of naughty things. I  
> > have not yet seen any examples of this, however.
> >
>
>  - Macros, never ending loops...
>
>  - Huge source files (copy and paste 6,000,000 lines into the edit box).

The compiler should compile that in minutes on any recent machine :-)
And you can limit the edit box length. Standard web practice, I'd say ?

One could of course forge a web request.

Michael.
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: Remote FreePascal compile service, feedback requested

Darius Blaszyk
In reply to this post by Tom Verhoeff
One thing I would like to add to the discussion is support for the LCL.
Dunno if it was explicitly the puurpose to do that already, but I thought
I should mention it anyway.

Darius

> We (still) use FreePascal quite a bit in our first/second-year education,
> in particular, in <PEACH.win.tue.nl>, our Programming Education And
> Contest Hosting verification system.
>
> I was thinking of adding a remote FreePascal service along the following
> lines.  You go to its web interface, browse for your source files
> (possibly a whole zip archive) on your local machine, enter command-line
> options, and let our server compile your stuff with a (selectable)
> version of fpc (under Linux), then you get back the results (possibly
> also in a zip archive).  Mabye we can support cross compiles as well.
>
> Why do this?  Because that way people can use/try FreePascal without
> installing anything.
>
> Furthermore, we plan to support several versions of FreePascal in
> parallel.  That way, it may also be useful to the FreePascal community.
> E.g. when diagnosing a problem.
>
> Here are some questions:
>
>   1.  Do you think this service would be useful?
>
>   2.  Do you think the interface described above is good enough?
>       Suggestions for refinements would be appreciated.
>
>   3.  Are there any security risks that we may have overlooked?
>       Of course, we will impose certain limitation to avoid resource
>       hogging.  But maybe there are ways to put together a malicious
>       source file that makes the compiler misbehave ...
>
>   4.  Whatever else comes to your mind ...
>
> Best regards,
>
> Tom Verhoeff
> --
> E-MAIL: T.Verhoeff @ TUE.NL     | Fac. of Math. & Computing Science
> PHONE:  +31 40 247 41 25        | Eindhoven University of Technology
> FAX:    +31 40 247 54 04        | PO Box 513, NL-5600 MB Eindhoven
> http://www.win.tue.nl/~wstomv/  | The Netherlands
> _______________________________________________
> fpc-pascal maillist  -  [hidden email]
> http://lists.freepascal.org/mailman/listinfo/fpc-pascal
>


_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: Remote FreePascal compile service, feedback requested

Adem
In reply to this post by Tom Verhoeff
Tom Verhoeff wrote:
> I was thinking of adding a remote FreePascal service along the following
> lines.  You go to its web interface, browse for your source files
> (possibly a whole zip archive) on your local machine, enter command-line
> options, and let our server compile your stuff with a (selectable)
> version of fpc (under Linux), then you get back the results (possibly
> also in a zip archive).  Mabye we can support cross compiles as well.

I think this is a great idea.

It takes FPC beyond open source --to being fully open access.

One could, then do coding on a dummy terminal in a hotel room or wherever
without having to carry around a laptop etc. Awesome, IMHO.

> Why do this?  Because that way people can use/try FreePascal without
> installing anything.

This too.

> Here are some questions:
>
>   1.  Do you think this service would be useful?

Definitely. See above.

>   2.  Do you think the interface described above is good enough?
>       Suggestions for refinements would be appreciated.

One thing I would love to have is t have an account and keep my source
files etc there, which would save us both fom the uploading the sources
all the time. And, a simple browser-based source editor maybe :-)

>   4.  Whatever else comes to your mind ...

AJAX based IDE? :-)
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: Remote FreePascal compile service, feedback requested

Mattias Gaertner
In reply to this post by Michael Van Canneyt
On Mon, 5 Dec 2005 18:50:28 +0100 (CET)
Michael Van Canneyt <[hidden email]> wrote:

>
>
> On Mon, 5 Dec 2005, L505 wrote:
>
> > Also, a simple macro could end up in a neverending loop and bring down
> > the server. Lots of other ways to make a compiler go nuts.
>
> The Free Pascal compiler checks for recursive expansion. If it goes over
> 16, it stops.
>
> In case you prove otherwise, of course, we have a bug...

Here is my first fpc DOS attack:

type
  TMyClassA = class;
 
  TMyClassA = class(TMyClassA)
    procedure DoSomething; override;
  end;


Mattias
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
12