Re: Authorization

Wojciech Kocjan Tue, 12 Dec 2000 15:06:44 -0800

On 12 Dec 2000, David N. Welton wrote:
> [ I'm back from the PLUTO meeting.  It was fun, and I gave a talk on
> mod_dtcl in Italian :-) ]

no comments... ;-)
> > > 3) Investigate safe interpreters.
> Why don't you post the code to the list, and we can have a go at
> 'cracking' it.  If it's alright with you, I can include it in
> contrib/, too.

Ok. It's a huge mess at the moment. First of all to launch it first write:
proc proc_register {args} {
}

(it's a part of a bit larger system of components I'm currently writing - 
for articles, forum and stuff like that)

here's how it should be used:
::eval::init
puts [subst [::eval::format {
this is a sample text.
<+ reverse {this text will be reversed} +>
}]]
::eval::finish

It may sound a bit weird, but it's not (I hope :). First of all the cmd_*
procs should be rewritten as they do not use xformat2 - <+ reverse {[exec
reboot]} +> could reboot your machine if apache was run as root.

The ::eval::format substs the text in the safe interpreter and prepares it
for second subst'ing using normal interpreter. It's the only solution I've
come up with to be able to do sth like <+ link article 134 +> (which would
be a link to article with id=134).

The cmd_* command need to be written with extreme caution, but assuming
that there are no cmd_* procs or there's simply:

proc cmd_test{arg} {
    return [xformat2 $arg]
}

is there a way to 'crack' into it? :) I'm praying there isn't ;-)

ps. Yes, this code is a HUGE mess - it's about 0.0.1 beta :). But some
parts do really work :>

ps2. If anyone has an idea how to make it possible to do <+ link article
134 +>? [main problem I came up with is that it should be possible to
generate different links for different sites. also, the reformatting procs
are kind of slow so I store results of ::eval::format in SQL as well -
which works quite fast ... (it's past midnight now and I'm veeery sleepy -
this mail may not make too much sense :)

Wojciech Kocjan
[EMAIL PROTECTED]

#
# EXTREMELY SAFE evaluator
#

namespace eval ::eval {
    variable interp
    proc xformat2 {txt} {
        
        regsub -all "\\\[" $txt "\\\\\\\\\\\[" txt
        regsub -all "\\\]" $txt "\\\\\\\\\\\]" txt
        regsub -all "\{" $txt "\{" txt
        regsub -all "\}" $txt "\}" txt
        regsub -all "\\\$" $txt "\\\\\\\\\\\$" txt
        regsub -all "<" $txt "\\&lt;" txt
        regsub -all ">" $txt "\\&gt;" txt
        regsub -all "\n" $txt "<BR>\n" txt
        return $txt
    }
    proc xformat {text {so "<+"} {sc "+>"}} {
        set i 0
        set m 0
        set rc [list]
        set sol [string length $so]
        set scl [string length $sc]
        while {1} {
            if {$m} {
                # find the ending sequence
                set sf [string first $sc $text $i]
                if {$sf<0} {
                    break
                }
                lappend rc "\[[string range $text $i [expr $sf-1]]\]"
                set i [expr $sf + $scl]
                set m 0
            }  else  {
                # find the beginning sequence
                set sf [string first $so $text $i]
                if {$sf<0} {
                    lappend rc [xformat2 [string range $text $i end]]
                    break
                }
                lappend rc "[xformat [string range $text $i [expr $sf-1]]]"
                set i [expr $sf + $sol]
                set m 1
            }
        }
        return [join $rc ""]
    }
    
    proc init {} {
        variable interp
        set interp [interp create -safe]
        set cmd_leave [list set info eval expr rename subst]
        foreach cmd [$interp eval [list info commands]] {
            if {[lsearch $cmd_leave $cmd]<0} {
                $interp eval [list rename $cmd ""]
            }
        }
        foreach cmd [info commands cmd_*] {
            regsub "^cmd_" $cmd "" ncmd
            $interp alias $ncmd ::eval::$cmd
        }
    }
    proc finish {} {
        variable interp
        interp delete $interp
    }
    proc ieval {cmd} {
        variable interp
        return [$interp eval $cmd]
    }
    # FIXME - this needs to be REWRITTEN in C!
    # <+  +> rocks :)
    proc reformat {txt} {
        regsub -all "\\\[" $txt "\\\[" txt
        regsub -all "\\\]" $txt "\\\]" txt
        regsub -all "\{" $txt "\\\{" txt
        regsub -all "\}" $txt "\\\}" txt
        regsub -all "\\\$" $txt "\\\$" txt
        regsub -all "<\\+ *" $txt "\[" txt
        regsub -all " *\\+>" $txt "\]" txt
        regsub -all "<" $txt "\\&lt;" txt
        regsub -all ">" $txt "\\&gt;" txt
        #set txt [::rf::html $txt]
        regsub -all "\n" $txt "<BR>\n" txt
        return $txt
    }
    
    proc format {txt} {
        set xt [xformat $txt]
        catch {
            set txt [ieval [list subst $xt]]
        }
        return $txt
        
    }
    proc cmd_link {lnk txt {target {}}} {
        set lnk [::rf::html $lnk]
        set txt [::rf::html $txt]
        set target [::rf::html $target]
        if {($target!="")} { set tgt " TARGET=\"$target\"" } else { set tgt "" }
        return "<A HREF=\"$lnk\"${tgt}>$txt</A>"
    }
    proc cmd_img args {
        return "<!-- tu powinien sie pojawic obrazek -->"
    }
    proc cmd_zet {var val} {
        set $var $val
        return ""
    }
    proc cmd_reverse {arg} {
        set sl [string length $arg]
        set rc ""
        for {set i [expr $sl-1]} {$i>=0} {incr i -1} {
            set rc "${rc}[string index $arg $i]"
        }
        return $rc
    }
    namespace export reformat
}

proc eval_childinit args {
    ::eval::init
}
proc eval_childexit args {
    ::eval::finish
}
proc_register ChildInit eval_childinit
proc_register ChildExit eval_childexit

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Authorization

Reply via email to