[pws] Cool enhancement to Comanche: From Squeak list

Tue, 02 Oct 2001 09:33:07 -0700 

>Delivered-To: [EMAIL PROTECTED]
>X-Sender: [EMAIL PROTECTED]
>To: [EMAIL PROTECTED]
>From: [EMAIL PROTECTED] (Kouji takahashi)
>Subject: Re: [Q][Security] in web based squeaking?
>Sender: [EMAIL PROTECTED]
>X-BeenThere: [EMAIL PROTECTED]
>X-Mailman-Version: 2.0
>Reply-To: [EMAIL PROTECTED]
>List-Help: <mailto:[EMAIL PROTECTED]?subject=help>
>List-Post: <mailto:[EMAIL PROTECTED]>
>List-Subscribe: <http://lists.squeakfoundation.org/listinfo/squeak-dev>,
> 
>       <mailto:[EMAIL PROTECTED]?subject=subscri 
>be>
>List-Id: The general-purpose Squeak developers list 
><squeak-dev.lists.squeakfoundation.org>
>List-Unsubscribe: <http://lists.squeakfoundation.org/listinfo/squeak-dev>,
> 
>       <mailto:[EMAIL PROTECTED]?subject=unsubsc 
>ribe>
>List-Archive: <http://lists.squeakfoundation.org/pipermail/squeak-dev/>
>Date: Tue, 2 Oct 2001 17:53:56 +0900
>
> Hi. I'm grad to hear your attempt.
>
> I'm using an intranet swiki which can contain squeak code between 
>'<?' and '?>' tag.
>I simply put Mark Guzdial's ActiveSwikiAction into current swiki framework.
>
> Main application of my swiki is accessing our custmers database.
>Each person can have own swiki pages containing specific query and formats.
>It's very conveient to make small changes only with browsers eveywhere.
>
> ActiveSwikiAction searches danger keywords such as #('Smalltalk' 
>'view' 'open' 'perform:' 'FileStream' 'FileDirectory' 'fileIn' 
>'Compiler' 'halt' 'PWS' 'Swiki') and prevents execution.I think this 
>is not enough, but perfect protection is very hard.
>
> My strategy is make 'parts pages' which controled by secure 
>person(password protected), and permits others to only call(?) 
>'parts pages' and forget about security issue.
> Adding 'page inlining' function make it easy to pile multiple 'parts pages'.
>
>------------- Page inlining example. This page shows results of 2 
>'parts pages'.
>!Tako's today's schedule.
>
> **dateAndTimeNow**
> **todaysSchedule?person=Tako**
>---------------------------
>'dateAndTimeNow" and 'todaysSchedule' are 'parts pages'.
>
> I did not implement '**todaysSchedule?person=Tako**' part, inluding 
>get fields to link needs some tweak.
>
> For me, debugging is the main problem. ActiveSwikiAction do not 
>give any debugging support.
>Without Squeak environment, debugging is nightmare.
>
> Sorry for my poor English.
>
>bye.
>
>
>At 18:39 01.9.27, Torge Husfeldt wrote:
> > Hi there,
> >
> > A while ago I heard of the (theoretical) ability of swikis to support
> > real smalltalk scripting inside the edited pages.
> > Is this secure?
> > Is there any swiki active that makes use of this feature?
> >         (if not the first than most probably not the second ;-)
> > Is anybody interested in developmentor actively developing in this
> > direction?
> >
> > On the other hand what about security in the Squeak browser plugin? I
> > gather it is very safe against malicious code but only by being very
> > restrictive - is this still true? If so, I'd like to improve it to give
> > the user the choice between restrictiveness and power/security and
> > insecurity.
> >
> > I'd like to hear from every effort that has been made recently in this
> > direction, any active projects or any thoughts you have on this topic.
> > Looks like this is _the_ thing I will be working on for the next few
> > months if it proves to be worth(not commercially though) it.
> >
> > Thanks in advance
> > Torge
> >
> > P.S.: Even replys like "wrong list, post it there:..." welcome
>
>
>-------------------------------
>^. .^    Kouji Takahashi  <[EMAIL PROTECTED]>
> ='=     Tel +81-3-3986-4834    Fax +81-3-5992-0792

--------------------------
Mark Guzdial : Georgia Tech : College of Computing : Atlanta, GA 30332-0280
Associate Professor - Learning Sciences & Technologies.
Collaborative Software Lab - http://coweb.cc.gatech.edu/csl/
(404) 894-5618 : Fax (404) 894-0673 : [EMAIL PROTECTED]
http://www.cc.gatech.edu/gvu/people/Faculty/Mark.Guzdial.html

Reply via email to