On Tue, 14 Apr 2020 08:50:27 -0700, Charles Mills wrote:
>
>I got an off-list note from Sam Golob asking me to submit an actual fix, so
>I downloaded CBT 617 to have a clean copy to start from and it is *not* the
>source of the program I am using (and complaining about here).
>
>It *does* however have the same bug:
>
>BINTDECR:
>NUMERIC DIGITS 20
>ARG LITERAL
>INTZ = "LITERAL = C2X(''LITERAL'')"
>INTERPRET INTZ
>...
Ouch! INTERPRET is unnecessary, and perhaps dangerous
because of the possibility of code injection via the value of ARG.
"A little learning is a dangerous thing."
>Not sure exactly where to go from here. This misuse of ARG for binary fields
>seems to be pervasive! I don't have the time to be "Mr. Fix all the CBT Rexx
>misuses of ARG."
>
They probably expect you to prepare your input with CAPS ON.
>If you are using any Rexx code that processes binary data (such as SMF
>records) you might want to do a quick FIND on ARG and see if it has the same
>problem. Easy to fix:
>
>ARG FOO becomes FOO = ARG(1)
>
OK.
>ARG FOO BAR SOJACK becomes
>
>FOO = ARG(1)
>BAR = ARG(2)
>SOJACK = ARG(3)
>Etc.
>
No. That works only for Rexx:
CALL BINTDECR FOO, BAR, SOJACK
Use PARSE ARG FOO BAR SOJACK, which preserves case.
-- gil
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
