Show More
@@ -0,0 +1,13 b'' | |||
|
1 | ==================== | |
|
2 | The IPython notebook | |
|
3 | ==================== | |
|
4 | ||
|
5 | .. toctree:: | |
|
6 | :maxdepth: 2 | |
|
7 | ||
|
8 | notebook | |
|
9 | cm_keyboard | |
|
10 | nbconvert | |
|
11 | public_server | |
|
12 | security | |
|
13 |
@@ -0,0 +1,52 b'' | |||
|
1 | -----BEGIN PGP PUBLIC KEY BLOCK----- | |
|
2 | Version: GnuPG v2.0.22 (GNU/Linux) | |
|
3 | ||
|
4 | mQINBFMx2LoBEAC9xU8JiKI1VlCJ4PT9zqhU5nChQZ06/bj1BBftiMJG07fdGVO0 | |
|
5 | ibOn4TrCoRYaeRlet0UpHzxT4zDa5h3/usJaJNTSRwtWePw2o7Lik8J+F3LionRf | |
|
6 | 8Jz81WpJ+81Klg4UWKErXjBHsu/50aoQm6ZNYG4S2nwOmMVEC4nc44IAA0bb+6kW | |
|
7 | saFKKzEDsASGyuvyutdyUHiCfvvh5GOC2h9mXYvl4FaMW7K+d2UgCYERcXDNy7C1 | |
|
8 | Bw+uepQ9ELKdG4ZpvonO6BNr1BWLln3wk93AQfD5qhfsYRJIyj0hJlaRLtBU3i6c | |
|
9 | xs+gQNF4mPmybpPSGuOyUr4FYC7NfoG7IUMLj+DYa6d8LcMJO+9px4IbdhQvzGtC | |
|
10 | qz5av1TX7/+gnS4L8C9i1g8xgI+MtvogngPmPY4repOlK6y3l/WtxUPkGkyYkn3s | |
|
11 | RzYyE/GJgTwuxFXzMQs91s+/iELFQq/QwmEJf+g/QYfSAuM+lVGajEDNBYVAQkxf | |
|
12 | gau4s8Gm0GzTZmINilk+7TxpXtKbFc/Yr4A/fMIHmaQ7KmJB84zKwONsQdVv7Jjj | |
|
13 | 0dpwu8EIQdHxX3k7/Q+KKubEivgoSkVwuoQTG15X9xrOsDZNwfOVQh+JKazPvJtd | |
|
14 | SNfep96r9t/8gnXv9JI95CGCQ8lNhXBUSBM3BDPTbudc4b6lFUyMXN0mKQARAQAB | |
|
15 | tCxJUHl0aG9uIFNlY3VyaXR5IFRlYW0gPHNlY3VyaXR5QGlweXRob24ub3JnPokC | |
|
16 | OAQTAQIAIgUCUzHYugIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQEwJc | |
|
17 | LcmZYkjuXg//R/t6nMNQmf9W1h52IVfUbRAVmvZ5d063hQHKV2dssxtnA2dRm/x5 | |
|
18 | JZu8Wz7ZrEZpyqwRJO14sxN1/lC3v+zs9XzYXr2lBTZuKCPIBypYVGIynCuWJBQJ | |
|
19 | rWnfG4+u1RHahnjqlTWTY1C/le6v7SjAvCb6GbdA6k4ZL2EJjQlRaHDmzw3rV/+l | |
|
20 | LLx6/tYzIsotuflm/bFumyOMmpQQpJjnCkWIVjnRICZvuAn97jLgtTI0+0Rzf4Zb | |
|
21 | k2BwmHwDRqWCTTcRI9QvTl8AzjW+dNImN22TpGOBPfYj8BCZ9twrpKUbf+jNqJ1K | |
|
22 | THQzFtpdJ6SzqiFVm74xW4TKqCLkbCQ/HtVjTGMGGz/y7KTtaLpGutQ6XE8SSy6P | |
|
23 | EffSb5u+kKlQOWaH7Mc3B0yAojz6T3j5RSI8ts6pFi6pZhDg9hBfPK2dT0v/7Mkv | |
|
24 | E1Z7q2IdjZnhhtGWjDAMtDDn2NbY2wuGoa5jAWAR0WvIbEZ3kOxuLE5/ZOG1FyYm | |
|
25 | noJRliBz7038nT92EoD5g1pdzuxgXtGCpYyyjRZwaLmmi4CvA+oThKmnqWNY5lyY | |
|
26 | ricdNHDiyEXK0YafJL1oZgM86MSb0jKJMp5U11nUkUGzkroFfpGDmzBwAzEPgeiF | |
|
27 | 40+qgsKB9lqwb3G7PxvfSi3XwxfXgpm1cTyEaPSzsVzve3d1xeqb7Yq5Ag0EUzHY | |
|
28 | ugEQALQ5FtLdNoxTxMsgvrRr1ejLiUeRNUfXtN1TYttOfvAhfBVnszjtkpIW8DCB | |
|
29 | JF/bA7ETiH8OYYn/Fm6MPI5H64IHEncpzxjf57jgpXd9CA9U2OMk/P1nve5zYchP | |
|
30 | QmP2fJxeAWr0aRH0Mse5JS5nCkh8Xv4nAjsBYeLTJEVOb1gPQFXOiFcVp3gaKAzX | |
|
31 | GWOZ/mtG/uaNsabH/3TkcQQEgJefd11DWgMB7575GU+eME7c6hn3FPITA5TC5HUX | |
|
32 | azvjv/PsWGTTVAJluJ3fUDvhpbGwYOh1uV0rB68lPpqVIro18IIJhNDnccM/xqko | |
|
33 | 4fpJdokdg4L1wih+B04OEXnwgjWG8OIphR/oL/+M37VV2U7Om/GE6LGefaYccC9c | |
|
34 | tIaacRQJmZpG/8RsimFIY2wJ07z8xYBITmhMmOt0bLBv0mU0ym5KH9Dnru1m9QDO | |
|
35 | AHwcKrDgL85f9MCn+YYw0d1lYxjOXjf+moaeW3izXCJ5brM+MqVtixY6aos3YO29 | |
|
36 | J7SzQ4aEDv3h/oKdDfZny21jcVPQxGDui8sqaZCi8usCcyqWsKvFHcr6vkwaufcm | |
|
37 | 3Knr2HKVotOUF5CDZybopIz1sJvY/5Dx9yfRmtivJtglrxoDKsLi1rQTlEQcFhCS | |
|
38 | ACjf7txLtv03vWHxmp4YKQFkkOlbyhIcvfPVLTvqGerdT2FHABEBAAGJAh8EGAEC | |
|
39 | AAkFAlMx2LoCGwwACgkQEwJcLcmZYkgK0BAAny0YUugpZldiHzYNf8I6p2OpiDWv | |
|
40 | ZHaguTTPg2LJSKaTd+5UHZwRFIWjcSiFu+qTGLNtZAdcr0D5f991CPvyDSLYgOwb | |
|
41 | Jm2p3GM2KxfECWzFbB/n/PjbZ5iky3+5sPlOdBR4TkfG4fcu5GwUgCkVe5u3USAk | |
|
42 | C6W5lpeaspDz39HAPRSIOFEX70+xV+6FZ17B7nixFGN+giTpGYOEdGFxtUNmHmf+ | |
|
43 | waJoPECyImDwJvmlMTeP9jfahlB6Pzaxt6TBZYHetI/JR9FU69EmA+XfCSGt5S+0 | |
|
44 | Eoc330gpsSzo2VlxwRCVNrcuKmG7PsFFANok05ssFq1/Djv5rJ++3lYb88b8HSP2 | |
|
45 | 3pQJPrM7cQNU8iPku9yLXkY5qsoZOH+3yAia554Dgc8WBhp6fWh58R0dIONQxbbo | |
|
46 | apNdwvlI8hKFB7TiUL6PNShE1yL+XD201iNkGAJXbLMIC1ImGLirUfU267A3Cop5 | |
|
47 | hoGs179HGBcyj/sKA3uUIFdNtP+NndaP3v4iYhCitdVCvBJMm6K3tW88qkyRGzOk | |
|
48 | 4PW422oyWKwbAPeMk5PubvEFuFAIoBAFn1zecrcOg85RzRnEeXaiemmmH8GOe1Xu | |
|
49 | Kh+7h8XXyG6RPFy8tCcLOTk+miTqX+4VWy+kVqoS2cQ5IV8WsJ3S7aeIy0H89Z8n | |
|
50 | 5vmLc+Ibz+eT+rM= | |
|
51 | =XVDe | |
|
52 | -----END PGP PUBLIC KEY BLOCK----- |
@@ -0,0 +1,146 b'' | |||
|
1 | Security in IPython notebooks | |
|
2 | ============================= | |
|
3 | ||
|
4 | As IPython notebooks become more popular for sharing and collaboration, | |
|
5 | the potential for malicious people to attempt to exploit the notebook | |
|
6 | for their nefarious purposes increases. IPython 2.0 introduces a | |
|
7 | security model to prevent execution of untrusted code without explicit | |
|
8 | user input. | |
|
9 | ||
|
10 | The problem | |
|
11 | ----------- | |
|
12 | ||
|
13 | The whole point of IPython is arbitrary code execution. We have no | |
|
14 | desire to limit what can be done with a notebook, which would negatively | |
|
15 | impact its utility. | |
|
16 | ||
|
17 | Unlike other programs, an IPython notebook document includes output. | |
|
18 | Unlike other documents, that output exists in a context that can execute | |
|
19 | code (via Javascript). | |
|
20 | ||
|
21 | The security problem we need to solve is that no code should execute | |
|
22 | just because a user has **opened** a notebook that **they did not | |
|
23 | write**. Like any other program, once a user decides to execute code in | |
|
24 | a notebook, it is considered trusted, and should be allowed to do | |
|
25 | anything. | |
|
26 | ||
|
27 | Our security model | |
|
28 | ------------------ | |
|
29 | ||
|
30 | - Untrusted HTML is always sanitized | |
|
31 | - Untrusted Javascript is never executed | |
|
32 | - HTML and Javascript in Markdown cells are never trusted | |
|
33 | - **Outputs** generated by the user are trusted | |
|
34 | - Any other HTML or Javascript (in Markdown cells, output generated by | |
|
35 | others) is never trusted | |
|
36 | - The central question of trust is "Did the current user do this?" | |
|
37 | ||
|
38 | The details of trust | |
|
39 | -------------------- | |
|
40 | ||
|
41 | IPython notebooks store a signature in metadata, which is used to answer | |
|
42 | the question "Did the current user do this?" | |
|
43 | ||
|
44 | This signature is a digest of the notebooks contents plus a secret key, | |
|
45 | known only to the user. The secret key is a user-only readable file in | |
|
46 | the IPython profile's security directory. By default, this is:: | |
|
47 | ||
|
48 | ~/.ipython/profile_default/security/notebook_secret | |
|
49 | ||
|
50 | When a notebook is opened by a user, the server computes a signature | |
|
51 | with the user's key, and compares it with the signature stored in the | |
|
52 | notebook's metadata. If the signature matches, HTML and Javascript | |
|
53 | output in the notebook will be trusted at load, otherwise it will be | |
|
54 | untrusted. | |
|
55 | ||
|
56 | Any output generated during an interactive session is trusted. | |
|
57 | ||
|
58 | Updating trust | |
|
59 | ************** | |
|
60 | ||
|
61 | A notebook's trust is updated when the notebook is saved. If there are | |
|
62 | any untrusted outputs still in the notebook, the notebook will not be | |
|
63 | trusted, and no signature will be stored. If all untrusted outputs have | |
|
64 | been removed (either via ``Clear Output`` or re-execution), then the | |
|
65 | notebook will become trusted. | |
|
66 | ||
|
67 | While trust is updated per output, this is only for the duration of a | |
|
68 | single session. A notebook file on disk is either trusted or not in its | |
|
69 | entirety. | |
|
70 | ||
|
71 | Explicit trust | |
|
72 | ************** | |
|
73 | ||
|
74 | Sometimes re-executing a notebook to generate trusted output is not an | |
|
75 | option, either because dependencies are unavailable, or it would take a | |
|
76 | long time. Users can explicitly trust a notebook in two ways: | |
|
77 | ||
|
78 | - At the command-line, with:: | |
|
79 | ||
|
80 | ipython trust /path/to/notebook.ipynb | |
|
81 | ||
|
82 | - After loading the untrusted notebook, with ``File / Trust Notebook`` | |
|
83 | ||
|
84 | These two methods simply load the notebook, compute a new signature with | |
|
85 | the user's key, and then store the newly signed notebook. | |
|
86 | ||
|
87 | Reporting security issues | |
|
88 | ------------------------- | |
|
89 | ||
|
90 | If you find a security vulnerability in IPython, either a failure of the | |
|
91 | code to properly implement the model described here, or a failure of the | |
|
92 | model itself, please report it to security@ipython.org. | |
|
93 | ||
|
94 | If you prefer to encrypt your security reports, | |
|
95 | you can use :download:`this PGP public key <ipython_security.asc>`. | |
|
96 | ||
|
97 | Affected use cases | |
|
98 | ------------------ | |
|
99 | ||
|
100 | Some use cases that work in IPython 1.0 will become less convenient in | |
|
101 | 2.0 as a result of the security changes. We do our best to minimize | |
|
102 | these annoyance, but security is always at odds with convenience. | |
|
103 | ||
|
104 | Javascript and CSS in Markdown cells | |
|
105 | ************************************ | |
|
106 | ||
|
107 | While never officially supported, it had become common practice to put | |
|
108 | hidden Javascript or CSS styling in Markdown cells, so that they would | |
|
109 | not be visible on the page. Since Markdown cells are now sanitized (by | |
|
110 | `Google Caja <https://developers.google.com/caja>`__), all Javascript | |
|
111 | (including click event handlers, etc.) and CSS will be stripped. | |
|
112 | ||
|
113 | We plan to provide a mechanism for notebook themes, but in the meantime | |
|
114 | styling the notebook can only be done via either ``custom.css`` or CSS | |
|
115 | in HTML output. The latter only have an effect if the notebook is | |
|
116 | trusted, because otherwise the output will be sanitized just like | |
|
117 | Markdown. | |
|
118 | ||
|
119 | Collaboration | |
|
120 | ************* | |
|
121 | ||
|
122 | When collaborating on a notebook, people probably want to see the | |
|
123 | outputs produced by their colleagues' most recent executions. Since each | |
|
124 | collaborator's key will differ, this will result in each share starting | |
|
125 | in an untrusted state. There are three basic approaches to this: | |
|
126 | ||
|
127 | - re-run notebooks when you get them (not always viable) | |
|
128 | - explicitly trust notebooks via ``ipython trust`` or the notebook menu | |
|
129 | (annoying, but easy) | |
|
130 | - share a notebook secret, and use an IPython profile dedicated to the | |
|
131 | collaboration while working on the project. | |
|
132 | ||
|
133 | Multiple profiles or machines | |
|
134 | ***************************** | |
|
135 | ||
|
136 | Since the notebook secret is stored in a profile directory by default, | |
|
137 | opening a notebook with a different profile or on a different machine | |
|
138 | will result in a different key, and thus be untrusted. The only current | |
|
139 | way to address this is by sharing the notebook secret. This can be | |
|
140 | facilitated by setting the configurable: | |
|
141 | ||
|
142 | .. sourcecode:: python | |
|
143 | ||
|
144 | c.NotebookApp.secret_file = "/path/to/notebook_secret" | |
|
145 | ||
|
146 | in each profile, and only sharing the secret once per machine. |
@@ -1,9 +1,9 b'' | |||
|
1 | 1 | <html> |
|
2 | 2 | <head> |
|
3 | <meta http-equiv="Refresh" content="0; url=notebook.html" /> | |
|
4 |
<title>Notebook |
|
|
5 |
</head> |
|
|
3 | <meta http-equiv="Refresh" content="0; url=../notebook/index.html" /> | |
|
4 | <title>Notebook docs have moved</title> | |
|
5 | </head> | |
|
6 | 6 | <body> |
|
7 |
<p>The notebook |
|
|
7 | <p>The notebook docs have moved <a href="../notebook/index.html">here</a>.</p> | |
|
8 | 8 | </body> |
|
9 | 9 | </html> |
@@ -164,7 +164,10 b" html_last_updated_fmt = '%b %d, %Y'" | |||
|
164 | 164 | # Additional templates that should be rendered to pages, maps page names to |
|
165 | 165 | # template names. |
|
166 | 166 | html_additional_pages = { |
|
167 |
|
|
|
167 | 'interactive/htmlnotebook': 'notebook_redirect.html', | |
|
168 | 'interactive/notebook': 'notebook_redirect.html', | |
|
169 | 'interactive/nbconvert': 'notebook_redirect.html', | |
|
170 | 'interactive/public_server': 'notebook_redirect.html', | |
|
168 | 171 | } |
|
169 | 172 | |
|
170 | 173 | # If false, no module index is generated. |
@@ -25,6 +25,7 b' Contents' | |||
|
25 | 25 | whatsnew/index |
|
26 | 26 | install/index |
|
27 | 27 | interactive/index |
|
28 | notebook/index | |
|
28 | 29 | parallel/index |
|
29 | 30 | config/index |
|
30 | 31 | development/index |
@@ -10,9 +10,7 b' Using IPython for interactive work' | |||
|
10 | 10 | reference |
|
11 | 11 | shell |
|
12 | 12 | qtconsole |
|
13 | notebook | |
|
14 | cm_keyboard | |
|
15 | nbconvert | |
|
16 | public_server | |
|
17 | 13 | |
|
14 | .. seealso:: | |
|
18 | 15 | |
|
16 | :doc:`/notebook/index` |
|
1 | NO CONTENT: file renamed from docs/source/interactive/cm_keyboard.rst to docs/source/notebook/cm_keyboard.rst |
|
1 | NO CONTENT: file renamed from docs/source/interactive/nbconvert.rst to docs/source/notebook/nbconvert.rst |
|
1 | NO CONTENT: file renamed from docs/source/interactive/notebook.rst to docs/source/notebook/notebook.rst |
@@ -19,8 +19,8 b' a public interface <notebook_public_server>`.' | |||
|
19 | 19 | |
|
20 | 20 | .. _notebook_security: |
|
21 | 21 | |
|
22 | Notebook security | |
|
23 | ----------------- | |
|
22 | Securing a notebook server | |
|
23 | -------------------------- | |
|
24 | 24 | |
|
25 | 25 | You can protect your notebook server with a simple single password by |
|
26 | 26 | setting the :attr:`NotebookApp.password` configurable. You can prepare a |
General Comments 0
You need to be logged in to leave comments.
Login now