do. command. safety. ?

Alex Tweedly alex at tweedly.net
Sat Mar 31 22:10:11 EDT 2018 

The question is exactly what did you type into the field ? It's unclear 
whether the quotes in your email are part of the email, or part of the 
field content.

Here's a case that definitely shows the difference:

button "Button"

on mouseup
   localtVar, tX
   do"put "&& quote& thetextoffld1& quote&& "into tx"
   put"now tx="&& tX &CRaftermsg
end mouseup

and button "safe"

on mouseup
   localtVar, tX
   putfld1intotVar
   do"put tVar into tX"
   put"now tx="&& tX &CRaftermsg
end mouseup

and into the field I typed

1+2+3" into tt;set the backcolor of btn 1 to blue;put "


Clicking button 'safe' gives

now tx= 1+2+3" into tt;set the backcolor of btn 1 to blue;put "

after the msg box; and repeated clicks there produce extra lines all the 
same.

Clicking button 'button' gives

now tx=

in the msgbox, and the button color changes.

So the embedded command within the field is being executed.

-- Alex.



On 31/03/2018 20:03, J. Landman Gay via use-livecode wrote:
> At the risk of appearing to be obtuse...I tried both versions of the 
> "do" and got the same results. In each case, the variable was 
> populated but no code was executed. In a test stack with one field and 
> one button, I entered ";set the backcolor of btn 1 to blue;put ". In 
> the button script I tried both versions of your example (substituting 
> "fld 1" for "user input".) I also tried it without the semicolons and 
> extra "put " at the end.
>
> In each case the variable x contained "set the backcolor of btn 1 to 
> blue" and the button did not change color.
>
> I am quite sure you are right, but could you provide an example where 
> the embedded command would actually execute?
>
> On 3/30/18 7:06 PM, Mark Waddingham via use-livecode wrote:
>> The user input was indirected through a variable in the safe version 
>> - not made part of the do string... That's the critical difference.
>>
>> The unsafe version allows user input to change the do'd code, the 
>> safe version only changes the content of a variable the do string uses.
>>
>> Warmest Regards,
>>
>> Mark.
>>
>> Sent from my iPhone
>>
>>> On 30 Mar 2018, at 19:24, J. Landman Gay via use-livecode 
>>> <use-livecode at lists.runrev.com> wrote:
>>>
>>> Well yes, but as Bob mentioned, wouldn't a variable do the same thing?
>>>
>>>   put ";delete hard drive;put " into x
>>>   do x
>>>
>>> vs:
>>>
>>>   do "put " && quote & ";delete hard drive;put " & quote && "into x"
>>>
>>> This actually came up way back in MetaCard where it was pointed out 
>>> that the engine was about as secure as it gets as long as you 
>>> validate all user input when using "do" or (I think) "value". In the 
>>> first example above, input needs to be examined before the "do" 
>>> command is issued. So I think there's a line or two missing in there 
>>> somewhere. ;)
>>>
>>>
>>>> On 3/30/18 12:15 PM, Mark Waddingham via use-livecode wrote:
>>>> Think about the string that can be constructed in the quoted 
>>>> version - user input could be "; ...;put " where ... is any code 
>>>> you would like...
>>>> Sent from my iPhone
>>>>> On 30 Mar 2018, at 18:09, J. Landman Gay via use-livecode 
>>>>> <use-livecode at lists.runrev.com> wrote:
>>>>>
>>>>> These look the same to me. Both versions place content into a 
>>>>> variable. Is the difference because of how the engine evaluates 
>>>>> the input somehow?
>>>>>
>>>>> -- 
>>>>> Jacqueline Landman Gay | jacque at hyperactivesw.com
>>>>> HyperActive Software | http://www.hyperactivesw.com
>>>>>> On March 30, 2018 11:04:54 AM Mark Waddingham via use-livecode 
>>>>>> <use-livecode at lists.runrev.com> wrote:
>>>>>>
>>>>>> Using do safely is the same as making database queries safe, or 
>>>>>> URL requests.
>>>>>>
>>>>>> You 'just' need to make sure that any input from outside is 
>>>>>> sanitized to ensure that it doesn't change the meaning of the 
>>>>>> expression you are 'doing'.
>>>>>>
>>>>>> For example, don't interpolate strings directly in the script 
>>>>>> using quotes, use a local var instead:
>>>>>>
>>>>>> put user input into tVar1
>>>>>> do "put tVar1 into x" -- safe
>>>>>>
>>>>>> Rather than
>>>>>>
>>>>>> do "put " && quote & user input & quote && "into x" -- not safe
>>>>>>
>>>>>> Warmest Regards,
>>>>>>
>>>>>> Mark.
>>>>>>
>>>>>> Sent from my iPhone
>>>>>>
>>>>>>> On 30 Mar 2018, at 16:43, Tom Glod via use-livecode 
>>>>>>> <use-livecode at lists.runrev.com> wrote:
>>>>>>>
>>>>>>> Dear Geniuses
>>>>>>>
>>>>>>> Sometimes.... late at night just before falling asleep I think 
>>>>>>> about the
>>>>>>> dangers of the do command.  Is it possible to inject code into this
>>>>>>> mechanism through malware?
>>>>>>>
>>>>>>> I do not have enough understanding of operating systems and 
>>>>>>> their processes
>>>>>>> ...and the livecode engine....to be able to know if its a 
>>>>>>> reasonable
>>>>>>> question or not.
>>>>>>>
>>>>>>> Thanks for any input on this.
>>>>>>> _______________________________________________
>>>
>>>
>>> -- 
>>> Jacqueline Landman Gay         |     jacque at hyperactivesw.com
>>> HyperActive Software           | http://www.hyperactivesw.com
>>>
>>> _______________________________________________
>>> use-livecode mailing list
>>> use-livecode at lists.runrev.com
>>> Please visit this url to subscribe, unsubscribe and manage your 
>>> subscription preferences:
>>> http://lists.runrev.com/mailman/listinfo/use-livecode
>>
>>
>> _______________________________________________
>> use-livecode mailing list
>> use-livecode at lists.runrev.com
>> Please visit this url to subscribe, unsubscribe and manage your 
>> subscription preferences:
>> http://lists.runrev.com/mailman/listinfo/use-livecode
>>
>
>

More information about the use-livecode mailing list