Years ago I used INTERPRET often, and I too switched to VALUE. There's
still one use case that I still use INTERPRET, and that's for 'passing'
many variables (most of which are stem) between programs.
This program reads an input dataset that contains all of the variable names
that should be passed. It then uses INTERPRET to append the variable names
and values to the PARMS variable. It then performs the CALL. The calling
subprogram performs an INTERPRET on ARG(1). Once the subprogram returns, it
uses INTERPRET to receive the returned variables and values.
*CALL DRAW_PARMS *
*PARMS = PARMS"OBJPOS='"OBJPOS"';OBJLEN='"OBJLEN"';OBJINTS='"OBJINTS"';",*
* "OBJHILT='"OBJHILT"';OBJCOLR='"OBJCOLR"';OBJVAL='"OBJVAL"'"*
*CALL SCRNTXAT PARMS *
*IF RESULT = 'RESULT' THEN *
* NOP *
*ELSE *
* CALL PARSE_PARMS RESULT *
*DRAW_PARMS: *
* PARMS = '' *
* ADDRESS TSO *
* "ALLOC DATASET('"SYSPROC"("SCRNGLBL")') FILE(PARM) SHR" *
* 'EXECIO * DISKR PARM (FINIS STEM PARMS.' *
* 'FREE FILE(PARM)' *
* DO I = 1 TO PARMS.0 *
* PARM = SPACE(SUBSTR(PARMS.I,1,12)) *
* IF PARM > '' THEN DO *
* IF POS('.',PARM) = LENGTH(PARM) THEN DO *
* INTERPRET "STEM_MAX = "PARM'0' *
* DO J = 0 TO STEM_MAX *
* INTERPRET "PARMS = PARMS||PARM||J'='''"PARM||J"''';'"*
* END *
* END *
* ELSE *
* INTERPRET "PARMS = PARMS||PARM'='''"PARM"''';'" *
* END *
* END *
* DO I = 1 TO OBJ_CNT *
* PARSE VAR OBJ_NDX.I DRAW_ROW_NUM '.' DRAW_FLD_CNT *
* INTERPRET "PARMS = PARMS||"OBJ_NDX"'.'I'='||'''"OBJ_NDX.I"'''||';'"*
* DO J = 1 TO ATTR_CNT *
* PARM_VAL = OBJ.DRAW_ROW_NUM.DRAW_FLD_CNT.J *
* IF POS("'",PARM_VAL) > 0 THEN DO *
* CALL CHANGE_STR PARM_VAL,"'","''" *
* PARM_VAL = STRING *
* END *
* INTERPRET "PARMS = PARMS||"OBJ.DRAW_ROW_NUM.DRAW_FLD_CNT||, *
* "'.'J'='''PARM_VAL''';'" *
* END *
* END *
*RETURN *
*PARSE_PARMS: *
* PARMS = ARG(1)*
* INTERPRET PARMS*
*RETURN *
Thank you,
Brian Chapman
On Mon, Sep 13, 2021 at 10:19 AM Bob Bridges <[email protected]> wrote:
> I use INTERPRET here and there, but pretty rarely. About the only program
> with it that I use all the time is something I call "EV" (for "evaluate),
> that acts as a sort of ad-hoc calculator:
>
> parse arg v1
> interpret 'v2='v1
> say v1'='v2
>
> Thus I can say on any ISPF command line "tso ev 228/15" and learn how many
> cylinders that dataset is. Or "tso ev mvsvar('SYSNAME')" to look at the
> local node name. Or "tso ev xxx(45)" to test a new external REXX function.
>
> But I keep thinking about the possibilities for malice in any tool I write
> for public use, and worry about it. I can't think of any examples, because
> as Itschak points out below, it's always going to run under the
> perpetrator's own ID, so INTERPRET isn't giving him any capabilities he
> doesn't already have. Can anyone point me to an example of how this would
> become a Bad Thing? I'm really curious.
>
> ---
> Bob Bridges, [email protected], cell 336 382-7313
>
> /* Here is one of the great ironies of contemporary feminism: Elite young
> women these days take their cues about how to behave primarily from
> unmarried (and therefore adolescent) males. -Maggie Gallagher, 2002-05-20
> */
>
> -----Original Message-----
> From: IBM Mainframe Discussion List <[email protected]> On Behalf
> Of ITschak Mugzach
> Sent: Monday, September 13, 2021 09:43
>
> Why hijack? Right your own code. Anyway, it runs under your user…
>
> We switched some of interpret commands to value since the sending field
> was larger than 256 bytes. Value don’t care.
>
> --- בתאריך יום ב׳, 13 בספט׳ 2021 ב-16:35 מאת Gary Freestone <
> [email protected]
> > A few years back I switched from INTERPRET to VALUE due to concerns I
> > had from a security perspective.
> >
> > Value only performs an evaluation and assigns it to a variable.
> > Interpret lets you do any thing.
> >
> > Say for example in your sample code. If I could hijack you code and
> > adding a single line to the REXX I could issue a JES2 command. The
> > line is
> >
> > def=';x=isfcalls(on);address sdsf "isfexec /$DI";istr="DEF";say "DEF" '
> >
> > Sure this case its just a harmless $DI but it could be anything. The
> > only difference in the output is an example blank line.
> >
> > Sent from Mail for Windows
>
> ----------------------------------------------------------------------
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to [email protected] with the message: INFO IBM-MAIN
>
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
