do. command. safety. ?

J. Landman Gay jacque at hyperactivesw.com
Sat Mar 31 21:16:50 CEST 2018


BTW, I know this works and is dangerous: do <user input>

It's the insertions that don't seem to be affected.

On 3/31/18 2:03 PM, J. Landman Gay via use-livecode wrote:
> At the risk of appearing to be obtuse...I tried both versions of the 
> "do" and got the same results. In each case, the variable was populated 
> but no code was executed. In a test stack with one field and one button, 
> I entered ";set the backcolor of btn 1 to blue;put ". In the button 
> script I tried both versions of your example (substituting "fld 1" for 
> "user input".) I also tried it without the semicolons and extra "put " 
> at the end.
> 
> In each case the variable x contained "set the backcolor of btn 1 to 
> blue" and the button did not change color.
> 
> I am quite sure you are right, but could you provide an example where 
> the embedded command would actually execute?
> 
> On 3/30/18 7:06 PM, Mark Waddingham via use-livecode wrote:
>> The user input was indirected through a variable in the safe version - 
>> not made part of the do string... That's the critical difference.
>>
>> The unsafe version allows user input to change the do'd code, the safe 
>> version only changes the content of a variable the do string uses.
>>
>> Warmest Regards,
>>
>> Mark.
>>
>> Sent from my iPhone
>>
>>> On 30 Mar 2018, at 19:24, J. Landman Gay via use-livecode 
>>> <use-livecode at lists.runrev.com> wrote:
>>>
>>> Well yes, but as Bob mentioned, wouldn't a variable do the same thing?
>>>
>>>   put ";delete hard drive;put " into x
>>>   do x
>>>
>>> vs:
>>>
>>>   do "put " && quote & ";delete hard drive;put " & quote && "into x"
>>>
>>> This actually came up way back in MetaCard where it was pointed out 
>>> that the engine was about as secure as it gets as long as you 
>>> validate all user input when using "do" or (I think) "value". In the 
>>> first example above, input needs to be examined before the "do" 
>>> command is issued. So I think there's a line or two missing in there 
>>> somewhere. ;)
>>>
>>>
>>>> On 3/30/18 12:15 PM, Mark Waddingham via use-livecode wrote:
>>>> Think about the string that can be constructed in the quoted version 
>>>> - user input could be "; ...;put " where ... is any code you would 
>>>> like...
>>>> Sent from my iPhone
>>>>> On 30 Mar 2018, at 18:09, J. Landman Gay via use-livecode 
>>>>> <use-livecode at lists.runrev.com> wrote:
>>>>>
>>>>> These look the same to me. Both versions place content into a 
>>>>> variable. Is the difference because of how the engine evaluates the 
>>>>> input somehow?
>>>>>
>>>>> -- 
>>>>> Jacqueline Landman Gay | jacque at hyperactivesw.com
>>>>> HyperActive Software | http://www.hyperactivesw.com
>>>>>> On March 30, 2018 11:04:54 AM Mark Waddingham via use-livecode 
>>>>>> <use-livecode at lists.runrev.com> wrote:
>>>>>>
>>>>>> Using do safely is the same as making database queries safe, or 
>>>>>> URL requests.
>>>>>>
>>>>>> You 'just' need to make sure that any input from outside is 
>>>>>> sanitized to ensure that it doesn't change the meaning of the 
>>>>>> expression you are 'doing'.
>>>>>>
>>>>>> For example, don't interpolate strings directly in the script 
>>>>>> using quotes, use a local var instead:
>>>>>>
>>>>>> put user input into tVar1
>>>>>> do "put tVar1 into x" -- safe
>>>>>>
>>>>>> Rather than
>>>>>>
>>>>>> do "put " && quote & user input & quote && "into x" -- not safe
>>>>>>
>>>>>> Warmest Regards,
>>>>>>
>>>>>> Mark.
>>>>>>
>>>>>> Sent from my iPhone
>>>>>>
>>>>>>> On 30 Mar 2018, at 16:43, Tom Glod via use-livecode 
>>>>>>> <use-livecode at lists.runrev.com> wrote:
>>>>>>>
>>>>>>> Dear Geniuses
>>>>>>>
>>>>>>> Sometimes.... late at night just before falling asleep I think 
>>>>>>> about the
>>>>>>> dangers of the do command.  Is it possible to inject code into this
>>>>>>> mechanism through malware?
>>>>>>>
>>>>>>> I do not have enough understanding of operating systems and their 
>>>>>>> processes
>>>>>>> ...and the livecode engine....to be able to know if its a reasonable
>>>>>>> question or not.
>>>>>>>
>>>>>>> Thanks for any input on this.
>>>>>>> _______________________________________________
>>>
>>>
>>> -- 
>>> Jacqueline Landman Gay         |     jacque at hyperactivesw.com
>>> HyperActive Software           |     http://www.hyperactivesw.com
>>>
>>> _______________________________________________
>>> use-livecode mailing list
>>> use-livecode at lists.runrev.com
>>> Please visit this url to subscribe, unsubscribe and manage your 
>>> subscription preferences:
>>> http://lists.runrev.com/mailman/listinfo/use-livecode
>>
>>
>> _______________________________________________
>> use-livecode mailing list
>> use-livecode at lists.runrev.com
>> Please visit this url to subscribe, unsubscribe and manage your 
>> subscription preferences:
>> http://lists.runrev.com/mailman/listinfo/use-livecode
>>
> 
> 


-- 
Jacqueline Landman Gay         |     jacque at hyperactivesw.com
HyperActive Software           |     http://www.hyperactivesw.com




More information about the use-livecode mailing list