How does Bugzilla operate

Burrton Wodruff bwoodruf at butler.edu
Sun Jan 23 09:37:24 EST 2005 

Many thanks to Sarah Reichelt and Richard Gaskin for identifying the 
problem and the work around. I've included Richard's response in this 
mailing.

Burt Woodruff
Ripple Software

>> Sarah Reichelt wrote:
>> On Dec 18, 2004 I reported a problem that became bug 2477. I created a
>> stack that reliably demonstrated the problem and posted it for 
>> download.
>>
>> In Rev 2.2.1 I could create a graphic with a script. The technique
>> worked great in both the development environment and in standalones.
>>
>> In Rev 2.5 the procedure doesn't work.  I rewrote the code so a
>> graphic with the proper script is clones rather than created. This
>> revision worked great in the development environment and FAILS in the
>> standalone.
>
> Hi Burton,
>
> Checking your example stack, it creates the graphic perfectly, but 
> fails
> to assign the script to it because you set the stack to be password
> protected in the standalone settings. I can't understand why creating
> the graphic worked, but I guess the password protection only applies to
> scripts.
>
> A bug was introduced in v2.5 while addressing a potential security
> issue:  the clone command should rightfully prevent objects from being
> cloned from a password-protected stack to any other stack, as the
> destination stack may not be password-protected and thus leave any
> script in that object exposed in the new stack.
>
> However this seems to have been addressed with a touch of overkill:  in
> v2.5 the ability to clone objects within a password-protected stack has
> apparently be disabled, as has the ability to clone a 
> password-protected
> stack itself.  Neither of these two circumstances pose a security
> exposure, so the older behavior of allowing the clone should be 
> restored
> for these, while keeping the one case that is an exposure (cloning out
> of a password-protected stack).
>
> These were reported in Bugzilla, and if memory serves were slated to be
> addressed in the next release.  I can't find the Bugzilla item now, so 
> I
> don't know the current status.
>
> --
>   Richard Gaskin
>   Fourth World Media Corporation

More information about the use-livecode mailing list