Yes...although on the mainframe this issue isn't quite as critical as it can be
on other platforms.
There was a time when I considered including in all my REXXes a parm that could
be evaluated like this:
arg args; do while args<>''; parse var args arg args; select
when arg='DBG' then trace 'I'
when pos('=',arg)>0 then interpret arg /* <--- initialize any variable
<--- */
otherwise call abend 'Unrecognized arg' arg; end; end
I could use this (I thought) to change the default value of ... well, of
practically anything in the program! I thought that was pretty useful.
And maybe it would be. But if I ever called the program with an improperly
constructed arg like that, I could maybe damage something in ways I could not
foresee. And assuming I provided the routine to others, someone could include
"malware('=')" as one of the arguments and do something even more objectionable.
Now, it's true that on the mainframe such a user could not thus gain access to
authorities he didn't already have; if his "malware('=')" call would work, then
he could just call MALWARE himself without going through my exec. Still, I
began to have less confidence in my bright idea. I don't completely eschew
INTERPRET, but I use it only rarely.
(I do have a REXX named EV (for "evaluate") that's basically just an INTERPRET
statement; I call it partly as a calculator -
==> tso ev 15*75
...and partly as a quick check on the results of a function call:
==> tso ev node=mvsvar(sysname)
==> tso ev myfunction('XYZ')
But that's about it.)
---
Bob Bridges, [email protected], cell 336 382-7313
/* The most important thing a father can do for his children is to love their
mother. -Theodore Hesburgh */
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf
Of Paul Gilmartin
Sent: Friday, March 20, 2020 21:53
INTERPRET is an invitation to intrusion unless the programmer
strictly controls the source of its operand. VALUE() somewhat
less so.
--- On Sat, 21 Mar 2020 01:46:07 +0000, Jackson, Rob wrote:
I'll bite, since no one else has. What's wrong with Interpret/Value()? I have
used both to great benefit before, when there didn't seem to be a good--or
possible--alternative. I thought they were both very nice features of the
language--to be used very sparingly (because I believe they are CPU-costly).
What other reason not to? Enlighten me.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
