Show More
@@ -0,0 +1,13 b'' | |||||
|
1 | ==================== | |||
|
2 | The IPython notebook | |||
|
3 | ==================== | |||
|
4 | ||||
|
5 | .. toctree:: | |||
|
6 | :maxdepth: 2 | |||
|
7 | ||||
|
8 | notebook | |||
|
9 | cm_keyboard | |||
|
10 | nbconvert | |||
|
11 | public_server | |||
|
12 | security | |||
|
13 |
@@ -0,0 +1,52 b'' | |||||
|
1 | -----BEGIN PGP PUBLIC KEY BLOCK----- | |||
|
2 | Version: GnuPG v2.0.22 (GNU/Linux) | |||
|
3 | ||||
|
4 | mQINBFMx2LoBEAC9xU8JiKI1VlCJ4PT9zqhU5nChQZ06/bj1BBftiMJG07fdGVO0 | |||
|
5 | ibOn4TrCoRYaeRlet0UpHzxT4zDa5h3/usJaJNTSRwtWePw2o7Lik8J+F3LionRf | |||
|
6 | 8Jz81WpJ+81Klg4UWKErXjBHsu/50aoQm6ZNYG4S2nwOmMVEC4nc44IAA0bb+6kW | |||
|
7 | saFKKzEDsASGyuvyutdyUHiCfvvh5GOC2h9mXYvl4FaMW7K+d2UgCYERcXDNy7C1 | |||
|
8 | Bw+uepQ9ELKdG4ZpvonO6BNr1BWLln3wk93AQfD5qhfsYRJIyj0hJlaRLtBU3i6c | |||
|
9 | xs+gQNF4mPmybpPSGuOyUr4FYC7NfoG7IUMLj+DYa6d8LcMJO+9px4IbdhQvzGtC | |||
|
10 | qz5av1TX7/+gnS4L8C9i1g8xgI+MtvogngPmPY4repOlK6y3l/WtxUPkGkyYkn3s | |||
|
11 | RzYyE/GJgTwuxFXzMQs91s+/iELFQq/QwmEJf+g/QYfSAuM+lVGajEDNBYVAQkxf | |||
|
12 | gau4s8Gm0GzTZmINilk+7TxpXtKbFc/Yr4A/fMIHmaQ7KmJB84zKwONsQdVv7Jjj | |||
|
13 | 0dpwu8EIQdHxX3k7/Q+KKubEivgoSkVwuoQTG15X9xrOsDZNwfOVQh+JKazPvJtd | |||
|
14 | SNfep96r9t/8gnXv9JI95CGCQ8lNhXBUSBM3BDPTbudc4b6lFUyMXN0mKQARAQAB | |||
|
15 | tCxJUHl0aG9uIFNlY3VyaXR5IFRlYW0gPHNlY3VyaXR5QGlweXRob24ub3JnPokC | |||
|
16 | OAQTAQIAIgUCUzHYugIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQEwJc | |||
|
17 | LcmZYkjuXg//R/t6nMNQmf9W1h52IVfUbRAVmvZ5d063hQHKV2dssxtnA2dRm/x5 | |||
|
18 | JZu8Wz7ZrEZpyqwRJO14sxN1/lC3v+zs9XzYXr2lBTZuKCPIBypYVGIynCuWJBQJ | |||
|
19 | rWnfG4+u1RHahnjqlTWTY1C/le6v7SjAvCb6GbdA6k4ZL2EJjQlRaHDmzw3rV/+l | |||
|
20 | LLx6/tYzIsotuflm/bFumyOMmpQQpJjnCkWIVjnRICZvuAn97jLgtTI0+0Rzf4Zb | |||
|
21 | k2BwmHwDRqWCTTcRI9QvTl8AzjW+dNImN22TpGOBPfYj8BCZ9twrpKUbf+jNqJ1K | |||
|
22 | THQzFtpdJ6SzqiFVm74xW4TKqCLkbCQ/HtVjTGMGGz/y7KTtaLpGutQ6XE8SSy6P | |||
|
23 | EffSb5u+kKlQOWaH7Mc3B0yAojz6T3j5RSI8ts6pFi6pZhDg9hBfPK2dT0v/7Mkv | |||
|
24 | E1Z7q2IdjZnhhtGWjDAMtDDn2NbY2wuGoa5jAWAR0WvIbEZ3kOxuLE5/ZOG1FyYm | |||
|
25 | noJRliBz7038nT92EoD5g1pdzuxgXtGCpYyyjRZwaLmmi4CvA+oThKmnqWNY5lyY | |||
|
26 | ricdNHDiyEXK0YafJL1oZgM86MSb0jKJMp5U11nUkUGzkroFfpGDmzBwAzEPgeiF | |||
|
27 | 40+qgsKB9lqwb3G7PxvfSi3XwxfXgpm1cTyEaPSzsVzve3d1xeqb7Yq5Ag0EUzHY | |||
|
28 | ugEQALQ5FtLdNoxTxMsgvrRr1ejLiUeRNUfXtN1TYttOfvAhfBVnszjtkpIW8DCB | |||
|
29 | JF/bA7ETiH8OYYn/Fm6MPI5H64IHEncpzxjf57jgpXd9CA9U2OMk/P1nve5zYchP | |||
|
30 | QmP2fJxeAWr0aRH0Mse5JS5nCkh8Xv4nAjsBYeLTJEVOb1gPQFXOiFcVp3gaKAzX | |||
|
31 | GWOZ/mtG/uaNsabH/3TkcQQEgJefd11DWgMB7575GU+eME7c6hn3FPITA5TC5HUX | |||
|
32 | azvjv/PsWGTTVAJluJ3fUDvhpbGwYOh1uV0rB68lPpqVIro18IIJhNDnccM/xqko | |||
|
33 | 4fpJdokdg4L1wih+B04OEXnwgjWG8OIphR/oL/+M37VV2U7Om/GE6LGefaYccC9c | |||
|
34 | tIaacRQJmZpG/8RsimFIY2wJ07z8xYBITmhMmOt0bLBv0mU0ym5KH9Dnru1m9QDO | |||
|
35 | AHwcKrDgL85f9MCn+YYw0d1lYxjOXjf+moaeW3izXCJ5brM+MqVtixY6aos3YO29 | |||
|
36 | J7SzQ4aEDv3h/oKdDfZny21jcVPQxGDui8sqaZCi8usCcyqWsKvFHcr6vkwaufcm | |||
|
37 | 3Knr2HKVotOUF5CDZybopIz1sJvY/5Dx9yfRmtivJtglrxoDKsLi1rQTlEQcFhCS | |||
|
38 | ACjf7txLtv03vWHxmp4YKQFkkOlbyhIcvfPVLTvqGerdT2FHABEBAAGJAh8EGAEC | |||
|
39 | AAkFAlMx2LoCGwwACgkQEwJcLcmZYkgK0BAAny0YUugpZldiHzYNf8I6p2OpiDWv | |||
|
40 | ZHaguTTPg2LJSKaTd+5UHZwRFIWjcSiFu+qTGLNtZAdcr0D5f991CPvyDSLYgOwb | |||
|
41 | Jm2p3GM2KxfECWzFbB/n/PjbZ5iky3+5sPlOdBR4TkfG4fcu5GwUgCkVe5u3USAk | |||
|
42 | C6W5lpeaspDz39HAPRSIOFEX70+xV+6FZ17B7nixFGN+giTpGYOEdGFxtUNmHmf+ | |||
|
43 | waJoPECyImDwJvmlMTeP9jfahlB6Pzaxt6TBZYHetI/JR9FU69EmA+XfCSGt5S+0 | |||
|
44 | Eoc330gpsSzo2VlxwRCVNrcuKmG7PsFFANok05ssFq1/Djv5rJ++3lYb88b8HSP2 | |||
|
45 | 3pQJPrM7cQNU8iPku9yLXkY5qsoZOH+3yAia554Dgc8WBhp6fWh58R0dIONQxbbo | |||
|
46 | apNdwvlI8hKFB7TiUL6PNShE1yL+XD201iNkGAJXbLMIC1ImGLirUfU267A3Cop5 | |||
|
47 | hoGs179HGBcyj/sKA3uUIFdNtP+NndaP3v4iYhCitdVCvBJMm6K3tW88qkyRGzOk | |||
|
48 | 4PW422oyWKwbAPeMk5PubvEFuFAIoBAFn1zecrcOg85RzRnEeXaiemmmH8GOe1Xu | |||
|
49 | Kh+7h8XXyG6RPFy8tCcLOTk+miTqX+4VWy+kVqoS2cQ5IV8WsJ3S7aeIy0H89Z8n | |||
|
50 | 5vmLc+Ibz+eT+rM= | |||
|
51 | =XVDe | |||
|
52 | -----END PGP PUBLIC KEY BLOCK----- |
@@ -0,0 +1,146 b'' | |||||
|
1 | Security in IPython notebooks | |||
|
2 | ============================= | |||
|
3 | ||||
|
4 | As IPython notebooks become more popular for sharing and collaboration, | |||
|
5 | the potential for malicious people to attempt to exploit the notebook | |||
|
6 | for their nefarious purposes increases. IPython 2.0 introduces a | |||
|
7 | security model to prevent execution of untrusted code without explicit | |||
|
8 | user input. | |||
|
9 | ||||
|
10 | The problem | |||
|
11 | ----------- | |||
|
12 | ||||
|
13 | The whole point of IPython is arbitrary code execution. We have no | |||
|
14 | desire to limit what can be done with a notebook, which would negatively | |||
|
15 | impact its utility. | |||
|
16 | ||||
|
17 | Unlike other programs, an IPython notebook document includes output. | |||
|
18 | Unlike other documents, that output exists in a context that can execute | |||
|
19 | code (via Javascript). | |||
|
20 | ||||
|
21 | The security problem we need to solve is that no code should execute | |||
|
22 | just because a user has **opened** a notebook that **they did not | |||
|
23 | write**. Like any other program, once a user decides to execute code in | |||
|
24 | a notebook, it is considered trusted, and should be allowed to do | |||
|
25 | anything. | |||
|
26 | ||||
|
27 | Our security model | |||
|
28 | ------------------ | |||
|
29 | ||||
|
30 | - Untrusted HTML is always sanitized | |||
|
31 | - Untrusted Javascript is never executed | |||
|
32 | - HTML and Javascript in Markdown cells are never trusted | |||
|
33 | - **Outputs** generated by the user are trusted | |||
|
34 | - Any other HTML or Javascript (in Markdown cells, output generated by | |||
|
35 | others) is never trusted | |||
|
36 | - The central question of trust is "Did the current user do this?" | |||
|
37 | ||||
|
38 | The details of trust | |||
|
39 | -------------------- | |||
|
40 | ||||
|
41 | IPython notebooks store a signature in metadata, which is used to answer | |||
|
42 | the question "Did the current user do this?" | |||
|
43 | ||||
|
44 | This signature is a digest of the notebooks contents plus a secret key, | |||
|
45 | known only to the user. The secret key is a user-only readable file in | |||
|
46 | the IPython profile's security directory. By default, this is:: | |||
|
47 | ||||
|
48 | ~/.ipython/profile_default/security/notebook_secret | |||
|
49 | ||||
|
50 | When a notebook is opened by a user, the server computes a signature | |||
|
51 | with the user's key, and compares it with the signature stored in the | |||
|
52 | notebook's metadata. If the signature matches, HTML and Javascript | |||
|
53 | output in the notebook will be trusted at load, otherwise it will be | |||
|
54 | untrusted. | |||
|
55 | ||||
|
56 | Any output generated during an interactive session is trusted. | |||
|
57 | ||||
|
58 | Updating trust | |||
|
59 | ************** | |||
|
60 | ||||
|
61 | A notebook's trust is updated when the notebook is saved. If there are | |||
|
62 | any untrusted outputs still in the notebook, the notebook will not be | |||
|
63 | trusted, and no signature will be stored. If all untrusted outputs have | |||
|
64 | been removed (either via ``Clear Output`` or re-execution), then the | |||
|
65 | notebook will become trusted. | |||
|
66 | ||||
|
67 | While trust is updated per output, this is only for the duration of a | |||
|
68 | single session. A notebook file on disk is either trusted or not in its | |||
|
69 | entirety. | |||
|
70 | ||||
|
71 | Explicit trust | |||
|
72 | ************** | |||
|
73 | ||||
|
74 | Sometimes re-executing a notebook to generate trusted output is not an | |||
|
75 | option, either because dependencies are unavailable, or it would take a | |||
|
76 | long time. Users can explicitly trust a notebook in two ways: | |||
|
77 | ||||
|
78 | - At the command-line, with:: | |||
|
79 | ||||
|
80 | ipython trust /path/to/notebook.ipynb | |||
|
81 | ||||
|
82 | - After loading the untrusted notebook, with ``File / Trust Notebook`` | |||
|
83 | ||||
|
84 | These two methods simply load the notebook, compute a new signature with | |||
|
85 | the user's key, and then store the newly signed notebook. | |||
|
86 | ||||
|
87 | Reporting security issues | |||
|
88 | ------------------------- | |||
|
89 | ||||
|
90 | If you find a security vulnerability in IPython, either a failure of the | |||
|
91 | code to properly implement the model described here, or a failure of the | |||
|
92 | model itself, please report it to security@ipython.org. | |||
|
93 | ||||
|
94 | If you prefer to encrypt your security reports, | |||
|
95 | you can use :download:`this PGP public key <ipython_security.asc>`. | |||
|
96 | ||||
|
97 | Affected use cases | |||
|
98 | ------------------ | |||
|
99 | ||||
|
100 | Some use cases that work in IPython 1.0 will become less convenient in | |||
|
101 | 2.0 as a result of the security changes. We do our best to minimize | |||
|
102 | these annoyance, but security is always at odds with convenience. | |||
|
103 | ||||
|
104 | Javascript and CSS in Markdown cells | |||
|
105 | ************************************ | |||
|
106 | ||||
|
107 | While never officially supported, it had become common practice to put | |||
|
108 | hidden Javascript or CSS styling in Markdown cells, so that they would | |||
|
109 | not be visible on the page. Since Markdown cells are now sanitized (by | |||
|
110 | `Google Caja <https://developers.google.com/caja>`__), all Javascript | |||
|
111 | (including click event handlers, etc.) and CSS will be stripped. | |||
|
112 | ||||
|
113 | We plan to provide a mechanism for notebook themes, but in the meantime | |||
|
114 | styling the notebook can only be done via either ``custom.css`` or CSS | |||
|
115 | in HTML output. The latter only have an effect if the notebook is | |||
|
116 | trusted, because otherwise the output will be sanitized just like | |||
|
117 | Markdown. | |||
|
118 | ||||
|
119 | Collaboration | |||
|
120 | ************* | |||
|
121 | ||||
|
122 | When collaborating on a notebook, people probably want to see the | |||
|
123 | outputs produced by their colleagues' most recent executions. Since each | |||
|
124 | collaborator's key will differ, this will result in each share starting | |||
|
125 | in an untrusted state. There are three basic approaches to this: | |||
|
126 | ||||
|
127 | - re-run notebooks when you get them (not always viable) | |||
|
128 | - explicitly trust notebooks via ``ipython trust`` or the notebook menu | |||
|
129 | (annoying, but easy) | |||
|
130 | - share a notebook secret, and use an IPython profile dedicated to the | |||
|
131 | collaboration while working on the project. | |||
|
132 | ||||
|
133 | Multiple profiles or machines | |||
|
134 | ***************************** | |||
|
135 | ||||
|
136 | Since the notebook secret is stored in a profile directory by default, | |||
|
137 | opening a notebook with a different profile or on a different machine | |||
|
138 | will result in a different key, and thus be untrusted. The only current | |||
|
139 | way to address this is by sharing the notebook secret. This can be | |||
|
140 | facilitated by setting the configurable: | |||
|
141 | ||||
|
142 | .. sourcecode:: python | |||
|
143 | ||||
|
144 | c.NotebookApp.secret_file = "/path/to/notebook_secret" | |||
|
145 | ||||
|
146 | in each profile, and only sharing the secret once per machine. |
@@ -1,9 +1,9 b'' | |||||
1 | <html> |
|
1 | <html> | |
2 | <head> |
|
2 | <head> | |
3 | <meta http-equiv="Refresh" content="0; url=notebook.html" /> |
|
3 | <meta http-equiv="Refresh" content="0; url=../notebook/index.html" /> | |
4 |
<title>Notebook |
|
4 | <title>Notebook docs have moved</title> | |
5 |
</head> |
|
5 | </head> | |
6 | <body> |
|
6 | <body> | |
7 |
<p>The notebook |
|
7 | <p>The notebook docs have moved <a href="../notebook/index.html">here</a>.</p> | |
8 | </body> |
|
8 | </body> | |
9 | </html> |
|
9 | </html> |
@@ -164,7 +164,10 b" html_last_updated_fmt = '%b %d, %Y'" | |||||
164 | # Additional templates that should be rendered to pages, maps page names to |
|
164 | # Additional templates that should be rendered to pages, maps page names to | |
165 | # template names. |
|
165 | # template names. | |
166 | html_additional_pages = { |
|
166 | html_additional_pages = { | |
167 |
|
|
167 | 'interactive/htmlnotebook': 'notebook_redirect.html', | |
|
168 | 'interactive/notebook': 'notebook_redirect.html', | |||
|
169 | 'interactive/nbconvert': 'notebook_redirect.html', | |||
|
170 | 'interactive/public_server': 'notebook_redirect.html', | |||
168 | } |
|
171 | } | |
169 |
|
172 | |||
170 | # If false, no module index is generated. |
|
173 | # If false, no module index is generated. |
@@ -25,6 +25,7 b' Contents' | |||||
25 | whatsnew/index |
|
25 | whatsnew/index | |
26 | install/index |
|
26 | install/index | |
27 | interactive/index |
|
27 | interactive/index | |
|
28 | notebook/index | |||
28 | parallel/index |
|
29 | parallel/index | |
29 | config/index |
|
30 | config/index | |
30 | development/index |
|
31 | development/index |
@@ -10,9 +10,7 b' Using IPython for interactive work' | |||||
10 | reference |
|
10 | reference | |
11 | shell |
|
11 | shell | |
12 | qtconsole |
|
12 | qtconsole | |
13 | notebook |
|
|||
14 | cm_keyboard |
|
|||
15 | nbconvert |
|
|||
16 | public_server |
|
|||
17 |
|
13 | |||
|
14 | .. seealso:: | |||
18 |
|
15 | |||
|
16 | :doc:`/notebook/index` |
1 | NO CONTENT: file renamed from docs/source/interactive/cm_keyboard.rst to docs/source/notebook/cm_keyboard.rst |
|
NO CONTENT: file renamed from docs/source/interactive/cm_keyboard.rst to docs/source/notebook/cm_keyboard.rst |
1 | NO CONTENT: file renamed from docs/source/interactive/nbconvert.rst to docs/source/notebook/nbconvert.rst |
|
NO CONTENT: file renamed from docs/source/interactive/nbconvert.rst to docs/source/notebook/nbconvert.rst |
1 | NO CONTENT: file renamed from docs/source/interactive/notebook.rst to docs/source/notebook/notebook.rst |
|
NO CONTENT: file renamed from docs/source/interactive/notebook.rst to docs/source/notebook/notebook.rst |
@@ -19,8 +19,8 b' a public interface <notebook_public_server>`.' | |||||
19 |
|
19 | |||
20 | .. _notebook_security: |
|
20 | .. _notebook_security: | |
21 |
|
21 | |||
22 | Notebook security |
|
22 | Securing a notebook server | |
23 | ----------------- |
|
23 | -------------------------- | |
24 |
|
24 | |||
25 | You can protect your notebook server with a simple single password by |
|
25 | You can protect your notebook server with a simple single password by | |
26 | setting the :attr:`NotebookApp.password` configurable. You can prepare a |
|
26 | setting the :attr:`NotebookApp.password` configurable. You can prepare a |
General Comments 0
You need to be logged in to leave comments.
Login now