Still don’t get it. When the malefactor runs the program with malicious data to be interpreted, with the result of doing something dangerous, it isn't the iNTERPRET statement that enabled it; the hacker could have written the program to do it himself.
If you mean ~I~ run a program (under my own ID) using data supplied by the hacker, sure, in that case he might get me to accomplish his aims by using my access. But if I were to do something so careless, it's not clear to me that the INTERPRET statement is to blame. --- Bob Bridges, [email protected], cell 336 382-7313 /* If we wish to be rational, not now and then but constantly, we must pray for the gift of Faith, for the power to go on believing not in the teeth of reason but in the teeth of lust and terror and jealousy and boredom and indifference that which reason, authority or experience, or all three, have once delivered to us for truth. -C S Lewis in _Religion: Reality or Substitute?_ */ -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Paul Gilmartin Sent: Monday, September 13, 2021 12:18 The hazard exists if a programmer naively INTERPRETs data supplied by potential (fe)malefactor. The defensive programmer might parse those data and prohibit dangerous constructs, but that parse must be complete. IBM's OMVS SKULKER script formerly bypassed filenames containing semicolons to prevent an exploit. I pointed out that the exploit remained for filenames containing NewLines. IBM fixed it with an undocumented APAR. --- On Mon, 13 Sep 2021 10:18:45 -0400, Bob Bridges wrote: >But I keep thinking about the possibilities for malice in any tool I write for >public use, and worry about it. I can't think of any examples, because as >Itschak points out below, it's always going to run under the perpetrator's own >ID, so INTERPRET isn't giving him any capabilities he doesn't already have. >Can anyone point me to an example of how this would become a Bad Thing? I'm >really curious. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
