> On Wed, 06 Jan 2010, Szak�ts Viktor wrote:
>> Too smoothen the security edge of this feature,
>> maybe it would be nice to allow to limit the set
>> of functions made available through RPC on the
>> server side. This way programmer could have total
>> control over this aspect without worrying about
>> function being linked without knowledge or intent,
>> and keep verifying .map files to find out.
>
> Any limits by function list are usually very easy to exploit.
> As long as you do not plan to give access to some very small
> set of functions then sooner or later hacker find a way to
> pass some string to macrocompiler and make what he only wants
> i.e. if you allow to execute ordListAdd() then he can create
> index file with key expression having functions you wanted to
> block, etc. Such things has to be resolved inside HVM. See
> information I left about it in xhb-diff.txt at the end of
> NAMESPACEs section.
> Now instead of implementing feature which gives rather illusion
> of security instead of real protection I suggest to add very
> simply extension. User function which can be registered in
> NETIO socket and executed instead of really requested functions
> so if user thinks that such list is enough for him then he can
> make sth like:
>
> static s_funcLst := { "STR"=>, "DATE"=>, "TIME"=> }
> func mywrapper( sFunc, ... )
> if sFunc:name $ s_funcLst
> return sFunc:exec( ... )
> endif
> return nil
Perfectly fits what I had in mind.
Brgds,
Viktor
_______________________________________________
Harbour mailing list (attachment size limit: 40KB)
[email protected]
http://lists.harbour-project.org/mailman/listinfo/harbour
