> On 15 Nov 2025, at 19:05, Jean Louis Faucher <[email protected]> wrote: > > Could someone confirm that this email has been received by the group? > I don't see it in SourceForge.
More than 24 hours later, I received this Delivery Status Notification 550 Blacklisted file extension detected I created a patch ticket to share the zip file. https://sourceforge.net/p/oorexx/patches/223/ > >> On 15 Nov 2025, at 14:28, Rick McGuire <[email protected]> wrote: >> >> I should point out that having a builtin function that allows setting the >> security manager is itself a security problem. > > +1 > On 15 Nov 2025, at 19:02, Rony G. Flatscher <[email protected]> wrote: > > To cater for the security consideration one could add a checkpoint for that > particluar builtin function, as has been already done for the the > charin/charout/chars/linein/lineout/lines/stream builtin functions. > Alternatively, one could define a protected method to allow for > setting/removing a security manager for an interpreter instance. > > This would allow to create an interpreter instance, set a security manager > and then execute any potentially dangerous Rexx programs (e.g. from the > Internet) on that instance. (BSF4ooRexx allows for creating any number of > Rexx interpreter instances such that one could even pick different security > managers for different instances and dispatch Rexx programs via them.) > > Using an interpreter instance would be the best way to set the default security manager. I do not wish to create a native implementation of the RexxInterpreter class, but could this intermediate implementation serve as a temporary solution? It would be put in CoreClasses.orx Later, if desired, a native RexxInterpreter class could be implemented. say .RexxInterpreter~current -- a RexxInterpreter say .RexxInterpreter~current~id -- 1 .RexxInterpreter~current~setSecurityManager ::class "RexxInterpreter" public ::METHOD init CLASS expose instances use strict arg -- none instances = .StringTable~new self~init:super ::METHOD current CLASS expose instances use strict arg -- none currentId = .context~interpreter current = instances[currentId] if current~isNil then do current = self~new(currentId) instances[currentId] = current end return current ::ATTRIBUTE id GET ::METHOD init expose id use strict arg id self~init:super ::METHOD setSecurityManager PROTECTED EXTERNAL 'LIBRARY REXX interpreter_set_security_manager'
_______________________________________________ Oorexx-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/oorexx-devel
