RE: [U2] Stringing commands together on the command line. Possible?
Don't have access to UV at present, but wonder if the following INPUT would do the trick ' AND WITH EVAL EXECUTE 'CLEAR.FILE CLIENT' = ' Ross Ferris Stamina Software Visage Better by Design! -Original Message- From: [EMAIL PROTECTED] [mailto:owner-u2- [EMAIL PROTECTED] On Behalf Of penno Sent: Monday, 29 October 2007 11:45 AM To: u2-users@listserver.u2ug.org Subject: RE: [U2] Stringing commands together on the command line. Possible? Hi Bill, David, all I'm getting the answers I want. (c: I'm glad it doesn't look like it's possible. I should have explained myslef more clearly. I'm looking at it from a security point of view. I read this comic the other day, http://xkcd.com/327/ and wondered if there was a risk of malicious code insertion with our inhouse programs. For instance suppose there was a program like this (and it's been a while since I've programmed, so I hope you'll all get the gist of it!): CRT INPUT MEMBER NAME: INPUT MEM.NAME EXECUTE SELECT CLIENT WITH MEMBER.NAME = ':MEM.NAME:' Innocuous enough. Now, assume for a minute the ; delimiter worked like in unix. And suppose a malicious user, when prompted for MEM.NAME, entered: FRED' ; CLEAR.FILE CLIENT ; CRT 'NOTHING From what I can tell, this would execute a CLEAR.FILE on CLIENT. I would like to be sure that this kind of thing's not possible. So far, so good. (c: Thanks for your speedy answers. Penno Bill Haskett wrote: Penno: As far as I know, this won't work. However, I can think of three ways to accomplish this: -- View this message in context: http://www.nabble.com/Stringing-commands- together-on-the-command-line.-Possible--tf4688153.html#a13459953 Sent from the U2 - Users mailing list archive at Nabble.com. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] Stringing commands together on the command line. Possible?
The way that I've always used to string commands together 'on the fly' would be to build a proc inside your program based on what you want to do and write it out to a PL file, and then create a voc that pointed to it, and then CHAIN to that. At the end of your proc you could have it CHAIN back to your calling program or what ever you wanted. Instead of creating the voc, you might get away with just using the RUN command, but I'm not really sure about that without experimenting first. But looks like you *really* got the answer you wanted. There is no ';' security hole in TCL. :) *=aee=* -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of penno Sent: Sunday, October 28, 2007 17:45 To: u2-users@listserver.u2ug.org Subject: RE: [U2] Stringing commands together on the command line. Possible? Hi Bill, David, all I'm getting the answers I want. (c: I'm glad it doesn't look like it's possible. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] Stringing commands together on the command line. Possible?
Yes, I wondered the same thing... EVAL is designed to emulate an I-type dictionary item. Hence, will only execute any command that you can successfully compile within an I-type. So it wouldn't allow what you have in your example. You'd need a subroutine that could execute via EVAL to invoke a TCL or OS command indirectly. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ross Ferris Sent: Monday, October 29, 2007 6:13 PM To: u2-users@listserver.u2ug.org Subject: RE: [U2] Stringing commands together on the command line. Possible? Don't have access to UV at present, but wonder if the following INPUT would do the trick ' AND WITH EVAL EXECUTE 'CLEAR.FILE CLIENT' = ' Ross Ferris Stamina Software Visage Better by Design! --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] Stringing commands together on the command line. Possible?
If you had a program such as example below ED BP TEST.BREAK 3 lines long. : P 0001: PRINT ENTER NAME : 0002: INPUT NAME 0003: EXECUTE LIST VOC :NAME Bottom at line 3. RUN BP TEST.BREAK ENTER NAME ?~DOS /c DIR It will list the VOC then execute the DOS command DIR. In Unix the SH shell command would probably do the same. There are security measures that can be taken to mitigate this. Using the voc security routine, Cleaning control characters out of inputted data. Regards David Jordan Managing Consultant --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] Stringing commands together on the command line. Possible?
So, it would have to be an inside job necessary in order to determine syntax of underlying query anyway -- and files to remove :-) but if you were going to leave the subroutine as evidence, you may as well have buried directly into compiled code anyway (and of course these critical changes would not appear in the source code left behind for the auditors to look at). Ross Ferris Stamina Software Visage Better by Design! -Original Message- From: [EMAIL PROTECTED] [mailto:owner-u2- [EMAIL PROTECTED] On Behalf Of Hona, David S Sent: Monday, 29 October 2007 6:34 PM To: u2-users@listserver.u2ug.org Subject: RE: [U2] Stringing commands together on the command line. Possible? Yes, I wondered the same thing... EVAL is designed to emulate an I-type dictionary item. Hence, will only execute any command that you can successfully compile within an I-type. So it wouldn't allow what you have in your example. You'd need a subroutine that could execute via EVAL to invoke a TCL or OS command indirectly. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ross Ferris Sent: Monday, October 29, 2007 6:13 PM To: u2-users@listserver.u2ug.org Subject: RE: [U2] Stringing commands together on the command line. Possible? Don't have access to UV at present, but wonder if the following INPUT would do the trick ' AND WITH EVAL EXECUTE 'CLEAR.FILE CLIENT' = ' Ross Ferris Stamina Software Visage Better by Design! --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] Stringing commands together on the command line. Possible?
And an easy way to block that is to remove write access to the dictionary. Iirc, you can't compile an EVAL if you can't compile an i-type. I believe that was done for security reasons, but it may simply be that the easy way to code it was to write a temporary item to the dictionary. Either way, if you can't write to the dictionary, you shouldn't be able to do an EVAL. Cheers, Wol -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hona, David S Sent: 29 October 2007 07:34 To: u2-users@listserver.u2ug.org Subject: RE: [U2] Stringing commands together on the command line. Possible? Yes, I wondered the same thing... EVAL is designed to emulate an I-type dictionary item. Hence, will only execute any command that you can successfully compile within an I-type. So it wouldn't allow what you have in your example. You'd need a subroutine that could execute via EVAL to invoke a TCL or OS command indirectly. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ross Ferris Sent: Monday, October 29, 2007 6:13 PM To: u2-users@listserver.u2ug.org Subject: RE: [U2] Stringing commands together on the command line. Possible? Don't have access to UV at present, but wonder if the following INPUT would do the trick ' AND WITH EVAL EXECUTE 'CLEAR.FILE CLIENT' = ' Ross Ferris Stamina Software Visage Better by Design! --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] Stringing commands together on the command line. Possible?
Given that a paragraph is delimited by @FM (or @VM as one poster suggested), and that these can be entered through the keyboard (for example Ctrl-^ for @FM, Ctrl-] for @VM, Ctrl-\ for @SM), I wonder could these be the magic characters penno is seeking? Don't have access to test at the moment, just wondering. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] Stringing commands together on the command line. Possible?
Ray I can't enter an @FM on the command line (though set for ctl^) and an @VM is just thrown out as an unrecognized token. So from that test, no. Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ray Wurlod Sent: 29 October 2007 13:47 To: u2-users@listserver.u2ug.org Subject: RE: [U2] Stringing commands together on the command line. Possible? Given that a paragraph is delimited by @FM (or @VM as one poster suggested), and that these can be entered through the keyboard (for example Ctrl-^ for @FM, Ctrl-] for @VM, Ctrl-\ for @SM), I wonder could these be the magic characters penno is seeking? Don't have access to test at the moment, just wondering. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] Stringing commands together on the command line. Possible?
Hi Brian I can achieve it with Ray's control character or paste it from another application. This does not work from TCL, but does work in an execute command within a program as demonstrated below, allowing a user to get to operating system commands. Regards David Jordan If you had a program such as example below ED BP TEST.BREAK 3 lines long. : P 0001: PRINT ENTER NAME : 0002: INPUT NAME 0003: EXECUTE LIST VOC :NAME Bottom at line 3. RUN BP TEST.BREAK ENTER NAME ctl-^DOS /c DIR It will list the VOC then execute the DOS command DIR. In Unix the SH shell command would probably do the same. There are security measures that can be taken to mitigate this. Using the voc security routine, Cleaning control characters out of inputted data. Regards David Jordan Managing Consultant --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] Stringing commands together on the command line. Possible?
This is evil, but does string uv commands on the TCL line. SH -c 'uv TIME; uv WHO; uv COUNT VOC' 16:42:44 29 OCT 2007 26 uv From root 927 records counted. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] Stringing commands together on the command line. Possible?
Oh ho. This is really something. Thanks very much guys. Yeah, works for me too. No problem. Unix commands (the SH -c does indeed work) or UV commands. Take ya pick. We've got an insert routine for inputs, which *does* filter out the field markers. Problem is there's no mandate to use it, and therefore we've got many programs using plain old INPUTs, no sanitizing, and, you guessed it, problems. This is a great forum. Thanks again. (c: Paul David Jordan wrote: Hi Brian I can achieve it with Ray's control character or paste it from another application. This does not work from TCL, but does work in an execute command within a program as demonstrated below, allowing a user to get to operating system commands. Regards David Jordan If you had a program such as example below ED BP TEST.BREAK 3 lines long. : P 0001: PRINT ENTER NAME : 0002: INPUT NAME 0003: EXECUTE LIST VOC :NAME Bottom at line 3. RUN BP TEST.BREAK ENTER NAME ctl-^DOS /c DIR It will list the VOC then execute the DOS command DIR. In Unix the SH shell command would probably do the same. There are security measures that can be taken to mitigate this. Using the voc security routine, Cleaning control characters out of inputted data. Regards David Jordan Managing Consultant --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ -- View this message in context: http://www.nabble.com/Stringing-commands-together-on-the-command-line.-Possible--tf4688153.html#a13480469 Sent from the U2 - Users mailing list archive at Nabble.com. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] Stringing commands together on the command line. Possible?
-Original Message- On Behalf Of Brian Leach I can't enter an @FM on the command line (though set for ctl^) and an @VM is just thrown out as an unrecognized token. So from that test, no. I can enter an @AM/@FM per the original basic eg using the Alt+0254 (Alt key plus number-pad decimal ascii code) or Ctrl-^ key combination. So if the perpetrator knows or can guess the syntax of the execute the same security flaw is available in U2 as in the example. CRT INPUT MEMBER NAME: INPUT MEM.NAME EXECUTE SELECT CLIENT WITH MEMBER.NAME = ':MEM.NAME:' INPUT MEMBER NAME: JONES' [Ctrl-^]CLEAR.FILE DATA VOC[Ctrl-^] This would select Ms Jones Client ID then obliterate the VOC. [UV 10.0.7, AIX, PICK FLAVOUR, VT220] ** This email message and any files transmitted with it are confidential and intended solely for the use of addressed recipient(s). If you have received this communication in error, please reply to this e-mail to notify the sender of its incorrect delivery and then delete it and your reply. It is your responsibility to check this email and any attachments for viruses and defects before opening or sending them on. Spotless collects information about you to provide and market our services. For information about use, disclosure and access, see our privacy policy at http://www.spotless.com.au Please consider our environment before printing this email. ** --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] Stringing commands together on the command line. Possible?
Penno: As far as I know, this won't work. However, I can think of three ways to accomplish this: 1) Use a 3rd party tcl shell/stacker that allows execution of multiple lines in the stack. E.g. :.x3,4,17 ...where the 3rd, 4th, and 17th command in the stack are: 003 !ls -l 004 !cat file 017 !grep file string 2) Use a BASIC program command line compiler like: http://www.pickwiki.com/cgi-bin/wiki.pl?BPTest ...where you can enter something like: :BPTEST TclLine = !ls -l : @VM : !cat file : @VM : grep file string ; EXECUTE TclLine ; END 3) Shell out to the O/S then do this if you want. Hope this helps. Bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of penno Sent: Sunday, October 28, 2007 3:32 PM To: u2-users@listserver.u2ug.org Subject: [U2] Stringing commands together on the command line. Possible? Hi all I'd like to string some commands together, similar to unix, eg ls -l ; cat file ; grep file string This will execute ls, followed by cat, followed by grep. The ; is the magic character that allows this. Is there a similar function available at the UV command prompt?? Thanks Penno -- --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] Stringing commands together on the command line. Possible?
I don't believe there is a native command/option to do this in UV. In BASIC you can do this by delimiting each command with mark-character (eg., @FM) and 'execute' the string with the EXECUTE statement. So you could create your own pseudo UV command prompt parser. Some commands can't or shouldn't be run from EXECUTE though. :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of penno Sent: Monday, October 29, 2007 9:32 AM To: u2-users@listserver.u2ug.org Subject: [U2] Stringing commands together on the command line. Possible? Hi all I'd like to string some commands together, similar to unix, eg ls -l ; cat file ; grep file string This will execute ls, followed by cat, followed by grep. The ; is the magic character that allows this. Is there a similar function available at the UV command prompt?? Thanks Penno --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] Stringing commands together on the command line. Possible?
Hi Bill, David, all I'm getting the answers I want. (c: I'm glad it doesn't look like it's possible. I should have explained myslef more clearly. I'm looking at it from a security point of view. I read this comic the other day, http://xkcd.com/327/ and wondered if there was a risk of malicious code insertion with our inhouse programs. For instance suppose there was a program like this (and it's been a while since I've programmed, so I hope you'll all get the gist of it!): CRT INPUT MEMBER NAME: INPUT MEM.NAME EXECUTE SELECT CLIENT WITH MEMBER.NAME = ':MEM.NAME:' Innocuous enough. Now, assume for a minute the ; delimiter worked like in unix. And suppose a malicious user, when prompted for MEM.NAME, entered: FRED' ; CLEAR.FILE CLIENT ; CRT 'NOTHING From what I can tell, this would execute a CLEAR.FILE on CLIENT. I would like to be sure that this kind of thing's not possible. So far, so good. (c: Thanks for your speedy answers. Penno Bill Haskett wrote: Penno: As far as I know, this won't work. However, I can think of three ways to accomplish this: -- View this message in context: http://www.nabble.com/Stringing-commands-together-on-the-command-line.-Possible--tf4688153.html#a13459953 Sent from the U2 - Users mailing list archive at Nabble.com. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
