[EMAIL PROTECTED] wrote:
> Now let's read another rule from an external source ...
>
> >> rulestring: "[some alpha {=^"} (print {YOU'VE BEEN TRASHED!}
> halt)]"
>
> ... and try to use it with the same code ...
>
> >> foreach str [{name="value"} {n="v"} {name=val} {name='val} ][
> [ print [str parse str load rulestring]
> [ ]
> YOU'VE BEEN TRASHED!
>
> We can imagine worse...
[...]
You can avoid this kind of problems quite easyly by letting the
block execute only the functions you want it to. Example:
>> allowed: make object! [
[ print: get in system/words 'print
[ none: system/words/none
[ ; etc..
[ ]
>> code: [print "Hello!"]
== [print "Hello!"]
>> malicious-code: [delete %rebol.exe]
== [delete %rebol.exe]
>> all-unsets: use first system/words ['system]
== system
>> bind code all-unsets
== [print "Hello!"]
>> bind code in allowed 'self
== [print "Hello!"]
>> do code
Hello!
>> bind malicious-code all-unsets
== [delete %rebol.exe]
>> bind malicious-code in allowed 'self
== [delete %rebol.exe]
>> do malicious-code
** Script Error: delete has no value.
** Where: delete %rebol.exe
:-)
Ciao,
/Gabriele./
o--------------------) .-^-. (----------------------------------o
| Gabriele Santilli / /_/_\_\ \ Amiga Group Italia --- L'Aquila |
| GIESSE on IRC \ \-\_/-/ / http://www.amyresource.it/AGI/ |
o--------------------) `-v-' (----------------------------------o
