GF shell restricted mode

By setting the environment variable GF_RESTRICTED before starting GF, the shell
will be run in restricted mode. This will prevent the GF shell from starting
arbitrary system commands (most uses of System.Cmd.system are blocked) and
writing arbitrary files (most commands that use writeFile et al are blocked).

Restricted mode is intended minimize the potential security risks involved
in allowing public access to the GF shell over the internet. It should be used
in conjuction with system level protection mechanisms (e.g. file permissions)
to make sure that a publicly acessible GF shell does not give access to parts
of the system that should not be publicly accessible.

src/compiler/GF/Infra/UseIO.hs

@@ -26,6 +26,7 @@ import System.IO.Error
 import System.Environment
 import System.Exit
 import System.CPUTime
+import System.Cmd
 import Text.Printf
 import Control.Monad
 import Control.Exception(evaluate)
@@ -191,3 +192,19 @@ writeUTF8File fpath content = do
   hSetEncoding h utf8
   hPutStr h content
   hClose h
+
+-- * Functions to limit acesss to arbitrary IO and system commands
+restricted io =
+    either (const io) (const $ fail message) =<< try (getEnv "GF_RESTRICTED")
+  where
+    message =
+      "This operation is not allowed when GF is running in restricted mode."
+
+restrictedSystem = restricted . system
+
+
+-- Because GHC adds the confusing text "user error" for failures cased by
+-- calls to fail.
+ioErrorText e = if isUserError e
+                then ioeGetErrorString e
+                else show e