security of the runtime

Alex Rice alrice at ARCplanning.com
Thu Mar 27 18:56:01 EST 2003


On Thursday, March 27, 2003, at 03:55  PM, Scott Raney wrote:
> The primary vulnerabilities are in the third-party libraries we use.
> For example, I wouldn't be surprised if you could force the engine to
> crash or execute arbitrary machine code by passing it a carefully
> crafted bogus GIF/JPEG/PNG image, QT movie, or compress() stream.  But
> as long as you can maintain some control over the source of the data
> you're using with those routines I wouldn't lose any sleep over the
> possibility of a user being able to craft some other type of data that
> would allow them to break into a machine using your program.

Thanks for the feedback. It's interesting. I'm glad Rev apps are in 
better shape than your average C/C++ app that's out there.

I suppose the third-party libs problem also includes the revdb and 
revxml libraries? For some apps, that could be the the entire bulk of 
data that's handled. For XML web services it could be even more 
critical. All you know is you are hitting some URI and getting XML back.

I am looking at revxml "strings" output and can't tell what parser is 
being used. I see some C++ ganga in there, some Codewarrior stuff, some 
links to CoreFoundation. What 3rd party lib does revxml use?




Alex Rice, Software Developer
Architectural Research Consultants, Inc.
alrice at ARCplanning.com
alrice at swcp.com






More information about the use-livecode mailing list