发现可以在 LeetCode 的机器上运行一些脚本

2016-01-23 22:29:29 +08:00
 xcatliu

https://github.com/xcatliu/hack-leetcode

4037 次点击
所在节点    程序员
12 条回复
xcatliu
2016-01-23 22:42:10 +08:00
想了想, GitHub 被我删了,免得被大家玩坏了。。。

已经汇报给 LeetCode 官方
xcatliu
2016-01-23 23:43:29 +08:00
Hi,

First, thanks for reporting to us and deleting the github repo. We do appreciate that you take the time to report us and taking some possible security holes offline so evil minds won't take advantage of this to do something possibly malicious.

I do realize that you are able to run shell commands, and this is perfectly okay. You can even run `cat /etc/passwd` and that's allowed. The reason is everything is run inside a sandbox which would not affect the host system. However, I do prefer not to show the internal working of how the user code is run as shown in the `ps aux` command, which may tell something to the user more than he/she needs to know.
virusdefender
2016-01-23 23:58:36 +08:00
只能说 leetcode 应该是虚拟机运行的,有沙箱但沙箱限制的太松了
mzer0
2016-01-24 00:30:53 +08:00
@xcatliu 能解释一下技术原理吗?
dndx
2016-01-24 01:23:14 +08:00
xcatliu
2016-01-24 10:10:06 +08:00
@virusdefender 是, LeetCode 不担心你能运行 shell 脚本,只是怕你了解运行模式之后,影响到了解题的思路
xcatliu
2016-01-24 10:11:00 +08:00
@mzer0 大部分语音都有执行 shell 命令的方法吧
xcatliu
2016-01-24 10:11:19 +08:00
@dndx 是,别滥用即可
Arthur2e5
2016-01-24 12:54:40 +08:00
Delbert
2016-01-24 15:13:55 +08:00
leetcode 本身还有 shell 专区的,本身就不是漏洞吧……
xcatliu
2016-01-24 16:10:12 +08:00
@Delbert 我也是这么问 LeetCode 的。。
vanxining
2016-01-24 22:25:18 +08:00
LeetCode 创始人似乎是能说中文的?

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/252926

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX