do. command. safety. ?

J. Landman Gay jacque at hyperactivesw.com
Sat Mar 31 15:03:10 EDT 2018 

At the risk of appearing to be obtuse...I tried both versions of the 
"do" and got the same results. In each case, the variable was populated 
but no code was executed. In a test stack with one field and one button, 
I entered ";set the backcolor of btn 1 to blue;put ". In the button 
script I tried both versions of your example (substituting "fld 1" for 
"user input".) I also tried it without the semicolons and extra "put " 
at the end.

In each case the variable x contained "set the backcolor of btn 1 to 
blue" and the button did not change color.

I am quite sure you are right, but could you provide an example where 
the embedded command would actually execute?

On 3/30/18 7:06 PM, Mark Waddingham via use-livecode wrote:
> The user input was indirected through a variable in the safe version - not made part of the do string... That's the critical difference.
> 
> The unsafe version allows user input to change the do'd code, the safe version only changes the content of a variable the do string uses.
> 
> Warmest Regards,
> 
> Mark.
> 
> Sent from my iPhone
> 
>> On 30 Mar 2018, at 19:24, J. Landman Gay via use-livecode <use-livecode at lists.runrev.com> wrote:
>>
>> Well yes, but as Bob mentioned, wouldn't a variable do the same thing?
>>
>>   put ";delete hard drive;put " into x
>>   do x
>>
>> vs:
>>
>>   do "put " && quote & ";delete hard drive;put " & quote && "into x"
>>
>> This actually came up way back in MetaCard where it was pointed out that the engine was about as secure as it gets as long as you validate all user input when using "do" or (I think) "value". In the first example above, input needs to be examined before the "do" command is issued. So I think there's a line or two missing in there somewhere. ;)
>>
>>
>>> On 3/30/18 12:15 PM, Mark Waddingham via use-livecode wrote:
>>> Think about the string that can be constructed in the quoted version - user input could be "; ...;put " where ... is any code you would like...
>>> Sent from my iPhone
>>>> On 30 Mar 2018, at 18:09, J. Landman Gay via use-livecode <use-livecode at lists.runrev.com> wrote:
>>>>
>>>> These look the same to me. Both versions place content into a variable. Is the difference because of how the engine evaluates the input somehow?
>>>>
>>>> --
>>>> Jacqueline Landman Gay | jacque at hyperactivesw.com
>>>> HyperActive Software | http://www.hyperactivesw.com
>>>>> On March 30, 2018 11:04:54 AM Mark Waddingham via use-livecode <use-livecode at lists.runrev.com> wrote:
>>>>>
>>>>> Using do safely is the same as making database queries safe, or URL requests.
>>>>>
>>>>> You 'just' need to make sure that any input from outside is sanitized to ensure that it doesn't change the meaning of the expression you are 'doing'.
>>>>>
>>>>> For example, don't interpolate strings directly in the script using quotes, use a local var instead:
>>>>>
>>>>> put user input into tVar1
>>>>> do "put tVar1 into x" -- safe
>>>>>
>>>>> Rather than
>>>>>
>>>>> do "put " && quote & user input & quote && "into x" -- not safe
>>>>>
>>>>> Warmest Regards,
>>>>>
>>>>> Mark.
>>>>>
>>>>> Sent from my iPhone
>>>>>
>>>>>> On 30 Mar 2018, at 16:43, Tom Glod via use-livecode <use-livecode at lists.runrev.com> wrote:
>>>>>>
>>>>>> Dear Geniuses
>>>>>>
>>>>>> Sometimes.... late at night just before falling asleep I think about the
>>>>>> dangers of the do command.  Is it possible to inject code into this
>>>>>> mechanism through malware?
>>>>>>
>>>>>> I do not have enough understanding of operating systems and their processes
>>>>>> ...and the livecode engine....to be able to know if its a reasonable
>>>>>> question or not.
>>>>>>
>>>>>> Thanks for any input on this.
>>>>>> _______________________________________________
>>
>>
>> -- 
>> Jacqueline Landman Gay         |     jacque at hyperactivesw.com
>> HyperActive Software           |     http://www.hyperactivesw.com
>>
>> _______________________________________________
>> use-livecode mailing list
>> use-livecode at lists.runrev.com
>> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
>> http://lists.runrev.com/mailman/listinfo/use-livecode
> 
> 
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
> 


-- 
Jacqueline Landman Gay         |     jacque at hyperactivesw.com
HyperActive Software           |     http://www.hyperactivesw.com

More information about the use-livecode mailing list