Here are the results of comparing the test units that got created to test the
ooRexx security
manager on ooRexx 3.2.0, 4.2.0 and 5.0beta:
*security* * * *Security Manager via* *
* *
* *
* *
* *
* *
* *
*
*message* *info-directory* */Method/-Object* * *
*/Routine/-Object* * * */Package/-Object* *
*
*
* * * *3.2.0* *4.2.0* *5.0beta* *3.2.0*
*4.2.0* *5.0beta* *3.2.0* *4.2.0* *5.0beta*
*CALL* * * pass pass pass n/a pass pass n/a
fail fail
*
* *NAME* pass pass pass n/a pass pass n/a pass
fail
*
* *ARGUMENTS* pass pass pass n/a pass pass n/a
pass pass
*
* *RESULT* pass pass pass n/a pass pass n/a
pass fail
*COMMAND* pass pass pass n/a pass pass n/a pass
fail
*
* *RC* pass pass pass n/a pass pass n/a pass
pass
*
* *FAILURE* pass pass pass n/a pass pass n/a
pass pass
*
* * *
trace-output shown on failure
trace-output shown on failure
trace-output shown on failure
*
* *ERROR* pass pass pass n/a pass pass n/a
pass pass
*ENVIRONMENT* pass pass fail n/a pass fail n/a
pass pass
*
* *NAME* pass pass pass n/a pass fail n/a pass
pass
*
* *RESULT* pass pass pass n/a pass fail n/a
pass pass
*LOCAL* * * pass pass pass n/a pass pass n/a
pass pass
*
* *NAME* pass pass pass n/a pass pass n/a pass
pass
*
* *RESULT* pass pass pass n/a pass pass n/a
pass pass
*METHOD* * * pass pass pass n/a pass pass n/a
pass pass
*
* *OBJECT* pass pass pass n/a pass pass n/a
pass pass
*
* *NAME* pass pass pass n/a pass pass n/a pass
pass
*
* *ARGUMENTS* pass pass pass n/a pass pass n/a
pass pass
*REQUIRES* pass fail fail n/a fail fail n/a fail
fail
*
* *NAME* pass pass pass n/a pass fail n/a fail
fail
*
* *SECURITYMANAGER* pass fail fail n/a fail fail
n/a fail fail
*STREAM* * * pass fail fail n/a fail fail n/a
fail fail
*
* *NAME* uppercased uppercased pass n/a uppercased
pass n/a fail fail
*
* * *
not using not using
not using not using
not using not using
*
* * *
supplied supplied
supplied supplied
supplied supplied
*
* * *
stream! stream!
stream! stream!
stream! stream!
As you can see, taking advantage of the ooRexx security manager using
method-objects on ooRexx 3.2.0
works as documented in the ooRexx Reference (rexxref.pdf), "Chapter 13. The
Security Manager". There
is one glitch there when monitoring the stream-bifs: the supplied file name
(fully qualified) is
returned in uppercase! (As Windows does not distinguish between lower and
uppercase in its
file-system, this glitch got unnoticed.)
ooRexx 4.x introduced the fundamental classes "Routine" and "Package". This
version introduced also
the ability to carry out a "dynamic requires" with the following code:
".context~package~addPackage(.package~new(nameOfRequiredRexxPackage.rex))"
Using the securtiy
manager with routine objects works with two exceptions: intercepting the
::requires-directive and
using a stream-object to be used for the stream-BIFs. Using package objects
works with three
exceptions: intercepting the CALL security message, the REQUIRES security
message and using a
stream-object to be used for the stream-BIFs.
Using the ooRexx 5.0beta security manager works with four exceptions:
intercepting the CALL security
message, the COMMAND security message, the REQUIRES security message and using
a stream-object to be
used for the stream-BIFs.
All three versions of ooRexx also exhibit an interesting behaviour with the
COMMAND security
message, when defining that a FAILURE should be raised in the supervised
program: in such a case the
failed command will be always shown formatted as a Rexx trace!
---
General conclusion:
* Using method-objects: in ooRexx 3.2 when creating a method object with any
Rexx code, does not
execute the code, such that an existing ::REQUIRES directive does not get
carried out. This
allows for setting a security manager for that method object, which then
will be used when using
"RUN" to execute the Rexx code in that method object.
In ooRexx 4.2 and 5.0 it seems that the REQUIRES directive is not executed.
When executing code
with a dynamic requires and defining a security manager before running the
code works. If in a
dynamic REQUIRE message a security manager is set for the required file,
then that required file
is *not* run using that security manager.
If the STREAM security message for BIFs returns an object to serve as the
stream object, then
the BIFs do not use that object on 4.2 and 5.0beta.
* Using routine-objects: in essence using a security manager on
result-objects behaves the same as
on method-objects on ooRexx 4.2.
ooRexx 5.0beta introduces an additional error in processing the REQUIRES
security message, which
seems to be never sent; it seems that ooRexx 5.0beta processes the REQUIRES
directives at
routine object creation time, unlike ooRexx 3.2 and 4.2!
* Using package-objects: it seems that when creating a package object the
requires directives get
processed already! So a security manager can currently only be set, *after*
the ("REQUIRES")
fact, which would pose a security hole, if requires directives should be
executed under the
auspices of a security manager!
There may be two different solutions possible to this: either do not
process the
requires-directives at package creation time, but at "addPackage"-time, or
alternatively, allow
for an optional second security manager argument in the constructor, which
if present should be
used when processing the requires-directives.
Will be uploading the latest set of test units to
<https://sourceforge.net/p/oorexx/patches/202/> in
a few moments. In addition I will also upload the Excel-Spreadsheet used to tag
the test results for
the security manager messages carried out on ooRexx 3.2.0, 4.20 and 5.0beta.
This concludes my work on creating and analyzing the test units for testing the
ooRexx security
manager. (Of course, if anyone finds tests missing, then please let me know!)
---
One question though: should I create individual bug reports in the ooRexx bug
database, pointing at
the test unit methods exhibiting the found bugs? If so, should I also add a bug
for 3.2.0 w.r.t.
STREAM security message supplying the filename mistakingly in uppercase (was
fixed in 5.0beta for
.method and .routine objects!), just to have it on file for regression analysis?
---rony
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oorexx-devel mailing list
Oorexx-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/oorexx-devel
