Re: do. command. safety. ?

2018-04-03 Thread Bob Sneidar via use-livecode
When I first started writing things in Hypercard, I would take my creations to 
the Principle of the High School where I worked and he would set about trying 
to break my code. He was good at it. He told me that if it occured to him to 
try and break it, eventually it would occur to someone else. Smart guy. 

Bob S


> On Apr 3, 2018, at 03:50 , Mark Waddingham via use-livecode 
>  wrote:
> 
> Put another way, all cases where code could be maliciously subverted are also 
> cases where your code could break through simple user error.
> 
> I'm not sure if that makes the problem any simpler to think about - but it at 
> least removes the notion that maliciousness is the reason to be careful, and 
> replaces it with robustness (which seems slightly more positive, at least).
> 
> Warmest Regards,
> 
> Mark.
> 
> -- 
> Mark Waddingham ~ m...@livecode.com ~ http://www.livecode.com/
> LiveCode: Everyone can create apps


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode


Re: do. command. safety. ?

2018-04-03 Thread Mark Waddingham via use-livecode

On 2018-04-02 07:06, Richard Gaskin via use-livecode wrote:

You were just thinking constructively.  You look for outcomes that
benefit people.  That's a good perspective to have.  Most devs do.

Maliciously breaking things requires a different mindset.


Or just recast the problem as an entirely constructive one...

We're thinking of this problem in terms of 'how can someone maliciously 
cause damage through code I've written' - however that problem is no 
different from a much more benign one...


  "How can a completely benign user accidentally cause our code to get 
into an unintended state"


In the case of the 'do' command which initiated this discussion - then 
imagine you are doing some sort of processing of user input on a form - 
and (for whatever reason - there are many) you are using do:


  on commitButtonPressed
...
do "put" && quote & field "Username" & quote & "into tRecord[1]"
...
  end commitButtonPressed

Here I'm imagining a card on a stack which is some sort of form. There's 
a 'continue/commit' button which causes commitButtonPressed to be 
called. The data you want to process is in fields on the card - in this 
case the user is required to enter a username - that goes into field 
"Username".


The benign user (whether it be just because they have made a typo or are 
just slightly perverse) enters newuser" - i.e. newuser with the quote 
char at the end.


This input will result in the above code not working correctly, as the 
do command will try and execute:


  put "newuser"" into tRecord[1]

Which will fail, meaning that tRecord[1] will hold empty - which will 
mean the rest of the code will be faulty.


Put another way, all cases where code could be maliciously subverted are 
also cases where your code could break through simple user error.


I'm not sure if that makes the problem any simpler to think about - but 
it at least removes the notion that maliciousness is the reason to be 
careful, and replaces it with robustness (which seems slightly more 
positive, at least).


Warmest Regards,

Mark.

--
Mark Waddingham ~ m...@livecode.com ~ http://www.livecode.com/
LiveCode: Everyone can create apps

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode


Re: do. command. safety. ?

2018-04-01 Thread Richard Gaskin via use-livecode

J. Landman Gay wrote:

> Thanks for the examples, Alex and Richard. I did understand the
> principle behind the caution but I couldn't get any of my tests to
> produce bad results. Both your examples do that.
>
> I think the problem was that I wasn't being imaginative enough.

You were just thinking constructively.  You look for outcomes that 
benefit people.  That's a good perspective to have.  Most devs do.


Maliciously breaking things requires a different mindset.

--
 Richard Gaskin
 Fourth World Systems
 Software Design and Development for the Desktop, Mobile, and the Web
 
 ambassa...@fourthworld.comhttp://www.FourthWorld.com

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode


Re: do. command. safety. ?

2018-04-01 Thread J. Landman Gay via use-livecode
So next time I'd better hire one of you guys, looks like. Malice isn't my 
strong point. Except maybe for certain distant relatives.


--
Jacqueline Landman Gay | jac...@hyperactivesw.com
HyperActive Software | http://www.hyperactivesw.com
On April 1, 2018 5:42:26 PM Mark Wieder via use-livecode 
 wrote:


On 04/01/2018 11:40 AM, J. Landman Gay via use-livecode wrote:
Thanks for the examples, Alex and Richard. I did understand the
principle behind the caution but I couldn't get any of my tests to
produce bad results. Both your examples do that.

I think the problem was that I wasn't being imaginative enough.

Yep. That's the problem with security coding - you have to be more
imaginative keeping out of trouble than the imaginative folks who are
looking for ways to cause mischief.

--
Mark Wieder
ahsoftw...@gmail.com

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your 
subscription preferences:

http://lists.runrev.com/mailman/listinfo/use-livecode




___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode


Re: do. command. safety. ?

2018-04-01 Thread Mark Wieder via use-livecode

On 04/01/2018 11:40 AM, J. Landman Gay via use-livecode wrote:
Thanks for the examples, Alex and Richard. I did understand the 
principle behind the caution but I couldn't get any of my tests to 
produce bad results. Both your examples do that.


I think the problem was that I wasn't being imaginative enough.



Yep. That's the problem with security coding - you have to be more 
imaginative keeping out of trouble than the imaginative folks who are 
looking for ways to cause mischief.


--
 Mark Wieder
 ahsoftw...@gmail.com

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode


Re: do. command. safety. ?

2018-04-01 Thread J. Landman Gay via use-livecode
Thanks for the examples, Alex and Richard. I did understand the 
principle behind the caution but I couldn't get any of my tests to 
produce bad results. Both your examples do that.


I think the problem was that I wasn't being imaginative enough.

--
Jacqueline Landman Gay | jac...@hyperactivesw.com
HyperActive Software   | http://www.hyperactivesw.com

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode


Re: do. command. safety. ?

2018-03-31 Thread Richard Gaskin via use-livecode

Jacque wrote:
> could you provide an example where the embedded command would actually
> execute?

A variant of Mark's example which executes when passed to fooEvil but 
not when pass to fooGood:


on mouseUp
   put "into x "&";answer GOTCHA & word 1 of the params #" \
   into tUserInput
   fooGood tUserInput
   fooEvil tUserInput
end mouseUp

on fooGood pUserInput
   do "put pUserInput into x"
end fooGood

on fooEvil pUserInput
   do "put " & pUserInput &" into x"
end fooEvil


--
 Richard Gaskin
 Fourth World Systems
 Software Design and Development for the Desktop, Mobile, and the Web
 
 ambassa...@fourthworld.comhttp://www.FourthWorld.com

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode


Re: do. command. safety. ?

2018-03-31 Thread Alex Tweedly via use-livecode
The question is exactly what did you type into the field ? It's unclear 
whether the quotes in your email are part of the email, or part of the 
field content.


Here's a case that definitely shows the difference:

button "Button"

on mouseup
  localtVar, tX
  do"put "&& quote& thetextoffld1& quote&& "into tx"
  put"now tx="&& tX 
end mouseup

and button "safe"

on mouseup
  localtVar, tX
  putfld1intotVar
  do"put tVar into tX"
  put"now tx="&& tX 
end mouseup

and into the field I typed

1+2+3" into tt;set the backcolor of btn 1 to blue;put "


Clicking button 'safe' gives

now tx= 1+2+3" into tt;set the backcolor of btn 1 to blue;put "

after the msg box; and repeated clicks there produce extra lines all the 
same.


Clicking button 'button' gives

now tx=

in the msgbox, and the button color changes.

So the embedded command within the field is being executed.

-- Alex.



On 31/03/2018 20:03, J. Landman Gay via use-livecode wrote:
At the risk of appearing to be obtuse...I tried both versions of the 
"do" and got the same results. In each case, the variable was 
populated but no code was executed. In a test stack with one field and 
one button, I entered ";set the backcolor of btn 1 to blue;put ". In 
the button script I tried both versions of your example (substituting 
"fld 1" for "user input".) I also tried it without the semicolons and 
extra "put " at the end.


In each case the variable x contained "set the backcolor of btn 1 to 
blue" and the button did not change color.


I am quite sure you are right, but could you provide an example where 
the embedded command would actually execute?


On 3/30/18 7:06 PM, Mark Waddingham via use-livecode wrote:
The user input was indirected through a variable in the safe version 
- not made part of the do string... That's the critical difference.


The unsafe version allows user input to change the do'd code, the 
safe version only changes the content of a variable the do string uses.


Warmest Regards,

Mark.

Sent from my iPhone

On 30 Mar 2018, at 19:24, J. Landman Gay via use-livecode 
 wrote:


Well yes, but as Bob mentioned, wouldn't a variable do the same thing?

  put ";delete hard drive;put " into x
  do x

vs:

  do "put " && quote & ";delete hard drive;put " & quote && "into x"

This actually came up way back in MetaCard where it was pointed out 
that the engine was about as secure as it gets as long as you 
validate all user input when using "do" or (I think) "value". In the 
first example above, input needs to be examined before the "do" 
command is issued. So I think there's a line or two missing in there 
somewhere. ;)




On 3/30/18 12:15 PM, Mark Waddingham via use-livecode wrote:
Think about the string that can be constructed in the quoted 
version - user input could be "; ...;put " where ... is any code 
you would like...

Sent from my iPhone
On 30 Mar 2018, at 18:09, J. Landman Gay via use-livecode 
 wrote:


These look the same to me. Both versions place content into a 
variable. Is the difference because of how the engine evaluates 
the input somehow?


--
Jacqueline Landman Gay | jac...@hyperactivesw.com
HyperActive Software | http://www.hyperactivesw.com
On March 30, 2018 11:04:54 AM Mark Waddingham via use-livecode 
 wrote:


Using do safely is the same as making database queries safe, or 
URL requests.


You 'just' need to make sure that any input from outside is 
sanitized to ensure that it doesn't change the meaning of the 
expression you are 'doing'.


For example, don't interpolate strings directly in the script 
using quotes, use a local var instead:


put user input into tVar1
do "put tVar1 into x" -- safe

Rather than

do "put " && quote & user input & quote && "into x" -- not safe

Warmest Regards,

Mark.

Sent from my iPhone

On 30 Mar 2018, at 16:43, Tom Glod via use-livecode 
 wrote:


Dear Geniuses

Sometimes late at night just before falling asleep I think 
about the

dangers of the do command.  Is it possible to inject code into this
mechanism through malware?

I do not have enough understanding of operating systems and 
their processes
...and the livecode engineto be able to know if its a 
reasonable

question or not.

Thanks for any input on this.
___



--
Jacqueline Landman Gay | jac...@hyperactivesw.com
HyperActive Software   | http://www.hyperactivesw.com

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your 
subscription preferences:

http://lists.runrev.com/mailman/listinfo/use-livecode



___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your 
subscription preferences:


Re: do. command. safety. ?

2018-03-31 Thread Dr. Hawkins via use-livecode
On Fri, Mar 30, 2018 at 9:02 AM, Mark Waddingham via use-livecode <
use-livecode@lists.runrev.com> wrote:

>
> do "put " && quote & user input & quote && "into x" -- not safe
>


Thus,
   do "initiate global thermonuclear war"


:)

Was shazam the statistical package that actually implemented that (only
partially, we hoped!)


-- 
Dr. Richard E. Hawkins, Esq.
(702) 508-8462
___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode


Re: do. command. safety. ?

2018-03-31 Thread J. Landman Gay via use-livecode

BTW, I know this works and is dangerous: do 

It's the insertions that don't seem to be affected.

On 3/31/18 2:03 PM, J. Landman Gay via use-livecode wrote:
At the risk of appearing to be obtuse...I tried both versions of the 
"do" and got the same results. In each case, the variable was populated 
but no code was executed. In a test stack with one field and one button, 
I entered ";set the backcolor of btn 1 to blue;put ". In the button 
script I tried both versions of your example (substituting "fld 1" for 
"user input".) I also tried it without the semicolons and extra "put " 
at the end.


In each case the variable x contained "set the backcolor of btn 1 to 
blue" and the button did not change color.


I am quite sure you are right, but could you provide an example where 
the embedded command would actually execute?


On 3/30/18 7:06 PM, Mark Waddingham via use-livecode wrote:
The user input was indirected through a variable in the safe version - 
not made part of the do string... That's the critical difference.


The unsafe version allows user input to change the do'd code, the safe 
version only changes the content of a variable the do string uses.


Warmest Regards,

Mark.

Sent from my iPhone

On 30 Mar 2018, at 19:24, J. Landman Gay via use-livecode 
 wrote:


Well yes, but as Bob mentioned, wouldn't a variable do the same thing?

  put ";delete hard drive;put " into x
  do x

vs:

  do "put " && quote & ";delete hard drive;put " & quote && "into x"

This actually came up way back in MetaCard where it was pointed out 
that the engine was about as secure as it gets as long as you 
validate all user input when using "do" or (I think) "value". In the 
first example above, input needs to be examined before the "do" 
command is issued. So I think there's a line or two missing in there 
somewhere. ;)




On 3/30/18 12:15 PM, Mark Waddingham via use-livecode wrote:
Think about the string that can be constructed in the quoted version 
- user input could be "; ...;put " where ... is any code you would 
like...

Sent from my iPhone
On 30 Mar 2018, at 18:09, J. Landman Gay via use-livecode 
 wrote:


These look the same to me. Both versions place content into a 
variable. Is the difference because of how the engine evaluates the 
input somehow?


--
Jacqueline Landman Gay | jac...@hyperactivesw.com
HyperActive Software | http://www.hyperactivesw.com
On March 30, 2018 11:04:54 AM Mark Waddingham via use-livecode 
 wrote:


Using do safely is the same as making database queries safe, or 
URL requests.


You 'just' need to make sure that any input from outside is 
sanitized to ensure that it doesn't change the meaning of the 
expression you are 'doing'.


For example, don't interpolate strings directly in the script 
using quotes, use a local var instead:


put user input into tVar1
do "put tVar1 into x" -- safe

Rather than

do "put " && quote & user input & quote && "into x" -- not safe

Warmest Regards,

Mark.

Sent from my iPhone

On 30 Mar 2018, at 16:43, Tom Glod via use-livecode 
 wrote:


Dear Geniuses

Sometimes late at night just before falling asleep I think 
about the

dangers of the do command.  Is it possible to inject code into this
mechanism through malware?

I do not have enough understanding of operating systems and their 
processes

...and the livecode engineto be able to know if its a reasonable
question or not.

Thanks for any input on this.
___



--
Jacqueline Landman Gay | jac...@hyperactivesw.com
HyperActive Software   | http://www.hyperactivesw.com

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your 
subscription preferences:

http://lists.runrev.com/mailman/listinfo/use-livecode



___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your 
subscription preferences:

http://lists.runrev.com/mailman/listinfo/use-livecode







--
Jacqueline Landman Gay | jac...@hyperactivesw.com
HyperActive Software   | http://www.hyperactivesw.com


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: do. command. safety. ?

2018-03-31 Thread J. Landman Gay via use-livecode
At the risk of appearing to be obtuse...I tried both versions of the 
"do" and got the same results. In each case, the variable was populated 
but no code was executed. In a test stack with one field and one button, 
I entered ";set the backcolor of btn 1 to blue;put ". In the button 
script I tried both versions of your example (substituting "fld 1" for 
"user input".) I also tried it without the semicolons and extra "put " 
at the end.


In each case the variable x contained "set the backcolor of btn 1 to 
blue" and the button did not change color.


I am quite sure you are right, but could you provide an example where 
the embedded command would actually execute?


On 3/30/18 7:06 PM, Mark Waddingham via use-livecode wrote:

The user input was indirected through a variable in the safe version - not made 
part of the do string... That's the critical difference.

The unsafe version allows user input to change the do'd code, the safe version 
only changes the content of a variable the do string uses.

Warmest Regards,

Mark.

Sent from my iPhone


On 30 Mar 2018, at 19:24, J. Landman Gay via use-livecode 
 wrote:

Well yes, but as Bob mentioned, wouldn't a variable do the same thing?

  put ";delete hard drive;put " into x
  do x

vs:

  do "put " && quote & ";delete hard drive;put " & quote && "into x"

This actually came up way back in MetaCard where it was pointed out that the engine was about as secure as it 
gets as long as you validate all user input when using "do" or (I think) "value". In the 
first example above, input needs to be examined before the "do" command is issued. So I think 
there's a line or two missing in there somewhere. ;)



On 3/30/18 12:15 PM, Mark Waddingham via use-livecode wrote:
Think about the string that can be constructed in the quoted version - user input could 
be "; ...;put " where ... is any code you would like...
Sent from my iPhone

On 30 Mar 2018, at 18:09, J. Landman Gay via use-livecode 
 wrote:

These look the same to me. Both versions place content into a variable. Is the 
difference because of how the engine evaluates the input somehow?

--
Jacqueline Landman Gay | jac...@hyperactivesw.com
HyperActive Software | http://www.hyperactivesw.com

On March 30, 2018 11:04:54 AM Mark Waddingham via use-livecode 
 wrote:

Using do safely is the same as making database queries safe, or URL requests.

You 'just' need to make sure that any input from outside is sanitized to ensure 
that it doesn't change the meaning of the expression you are 'doing'.

For example, don't interpolate strings directly in the script using quotes, use 
a local var instead:

put user input into tVar1
do "put tVar1 into x" -- safe

Rather than

do "put " && quote & user input & quote && "into x" -- not safe

Warmest Regards,

Mark.

Sent from my iPhone


On 30 Mar 2018, at 16:43, Tom Glod via use-livecode 
 wrote:

Dear Geniuses

Sometimes late at night just before falling asleep I think about the
dangers of the do command.  Is it possible to inject code into this
mechanism through malware?

I do not have enough understanding of operating systems and their processes
...and the livecode engineto be able to know if its a reasonable
question or not.

Thanks for any input on this.
___



--
Jacqueline Landman Gay | jac...@hyperactivesw.com
HyperActive Software   | http://www.hyperactivesw.com

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode



___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode




--
Jacqueline Landman Gay | jac...@hyperactivesw.com
HyperActive Software   | http://www.hyperactivesw.com

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode


Re: do. command. safety. ?

2018-03-30 Thread Mark Waddingham via use-livecode
The user input was indirected through a variable in the safe version - not made 
part of the do string... That's the critical difference.

The unsafe version allows user input to change the do'd code, the safe version 
only changes the content of a variable the do string uses.

Warmest Regards,

Mark.

Sent from my iPhone

> On 30 Mar 2018, at 19:24, J. Landman Gay via use-livecode 
>  wrote:
> 
> Well yes, but as Bob mentioned, wouldn't a variable do the same thing?
> 
>  put ";delete hard drive;put " into x
>  do x
> 
> vs:
> 
>  do "put " && quote & ";delete hard drive;put " & quote && "into x"
> 
> This actually came up way back in MetaCard where it was pointed out that the 
> engine was about as secure as it gets as long as you validate all user input 
> when using "do" or (I think) "value". In the first example above, input needs 
> to be examined before the "do" command is issued. So I think there's a line 
> or two missing in there somewhere. ;)
> 
> 
>> On 3/30/18 12:15 PM, Mark Waddingham via use-livecode wrote:
>> Think about the string that can be constructed in the quoted version - user 
>> input could be "; ...;put " where ... is any code you would like...
>> Sent from my iPhone
>>> On 30 Mar 2018, at 18:09, J. Landman Gay via use-livecode 
>>>  wrote:
>>> 
>>> These look the same to me. Both versions place content into a variable. Is 
>>> the difference because of how the engine evaluates the input somehow?
>>> 
>>> --
>>> Jacqueline Landman Gay | jac...@hyperactivesw.com
>>> HyperActive Software | http://www.hyperactivesw.com
 On March 30, 2018 11:04:54 AM Mark Waddingham via use-livecode 
  wrote:
 
 Using do safely is the same as making database queries safe, or URL 
 requests.
 
 You 'just' need to make sure that any input from outside is sanitized to 
 ensure that it doesn't change the meaning of the expression you are 
 'doing'.
 
 For example, don't interpolate strings directly in the script using 
 quotes, use a local var instead:
 
 put user input into tVar1
 do "put tVar1 into x" -- safe
 
 Rather than
 
 do "put " && quote & user input & quote && "into x" -- not safe
 
 Warmest Regards,
 
 Mark.
 
 Sent from my iPhone
 
> On 30 Mar 2018, at 16:43, Tom Glod via use-livecode 
>  wrote:
> 
> Dear Geniuses
> 
> Sometimes late at night just before falling asleep I think about the
> dangers of the do command.  Is it possible to inject code into this
> mechanism through malware?
> 
> I do not have enough understanding of operating systems and their 
> processes
> ...and the livecode engineto be able to know if its a reasonable
> question or not.
> 
> Thanks for any input on this.
> ___
> 
> 
> -- 
> Jacqueline Landman Gay | jac...@hyperactivesw.com
> HyperActive Software   | http://www.hyperactivesw.com
> 
> ___
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription 
> preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode


Re: do. command. safety. ?

2018-03-30 Thread Richard Gaskin via use-livecode

Tom Glod wrote:

> Sometimes late at night just before falling asleep I think about
> the dangers of the do command.  Is it possible to inject code into
> this mechanism through malware?

Mark's discussion handled the security aspect well.

The only thing I could add would be to examine each case and determine 
if "do" is even needed at all there.


In addition to the risk of inviting arbitrary code execution, it's 
usually slower than any more direct alternative.  And its use is often 
dependent on concatenated expressions, making code more cumbersome to 
both write and read.


We used to use "do" a lot in HC, where we had to rely on it often to 
circumvent limitations with concatenated object references, variables 
with names that could not be known in advance, and others.


LC has much more intelligent handling of concatenated object 
expressions, and with arrays we can handle any number of variables where 
we need the variable name determined on the fly.


In LC "do" is still sometimes useful, but far less often.  I can't 
remember the last time I needed to use, probably a couple years ago.


--
 Richard Gaskin
 Fourth World Systems
 Software Design and Development for the Desktop, Mobile, and the Web
 
 ambassa...@fourthworld.comhttp://www.FourthWorld.com

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode


Re: do. command. safety. ?

2018-03-30 Thread J. Landman Gay via use-livecode

Well yes, but as Bob mentioned, wouldn't a variable do the same thing?

  put ";delete hard drive;put " into x
  do x

vs:

  do "put " && quote & ";delete hard drive;put " & quote && "into x"

This actually came up way back in MetaCard where it was pointed out that 
the engine was about as secure as it gets as long as you validate all 
user input when using "do" or (I think) "value". In the first example 
above, input needs to be examined before the "do" command is issued. So 
I think there's a line or two missing in there somewhere. ;)



On 3/30/18 12:15 PM, Mark Waddingham via use-livecode wrote:

Think about the string that can be constructed in the quoted version - user input could 
be "; ...;put " where ... is any code you would like...

Sent from my iPhone


On 30 Mar 2018, at 18:09, J. Landman Gay via use-livecode 
 wrote:

These look the same to me. Both versions place content into a variable. Is the 
difference because of how the engine evaluates the input somehow?

--
Jacqueline Landman Gay | jac...@hyperactivesw.com
HyperActive Software | http://www.hyperactivesw.com

On March 30, 2018 11:04:54 AM Mark Waddingham via use-livecode 
 wrote:

Using do safely is the same as making database queries safe, or URL requests.

You 'just' need to make sure that any input from outside is sanitized to ensure 
that it doesn't change the meaning of the expression you are 'doing'.

For example, don't interpolate strings directly in the script using quotes, use 
a local var instead:

put user input into tVar1
do "put tVar1 into x" -- safe

Rather than

do "put " && quote & user input & quote && "into x" -- not safe

Warmest Regards,

Mark.

Sent from my iPhone


On 30 Mar 2018, at 16:43, Tom Glod via use-livecode 
 wrote:

Dear Geniuses

Sometimes late at night just before falling asleep I think about the
dangers of the do command.  Is it possible to inject code into this
mechanism through malware?

I do not have enough understanding of operating systems and their processes
...and the livecode engineto be able to know if its a reasonable
question or not.

Thanks for any input on this.
___



--
Jacqueline Landman Gay | jac...@hyperactivesw.com
HyperActive Software   | http://www.hyperactivesw.com

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode


Re: do. command. safety. ?

2018-03-30 Thread Bob Sneidar via use-livecode
Couldn't the same be said about tVar? I suppose you mean that you could check 
the user input before doing it. 

Bob S

> On Mar 30, 2018, at 10:15 , Mark Waddingham via use-livecode 
>  wrote:
> 
> Think about the string that can be constructed in the quoted version - user 
> input could be "; ...;put " where ... is any code you would like...


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode


Re: do. command. safety. ?

2018-03-30 Thread Mark Waddingham via use-livecode
Think about the string that can be constructed in the quoted version - user 
input could be "; ...;put " where ... is any code you would like...

Sent from my iPhone

> On 30 Mar 2018, at 18:09, J. Landman Gay via use-livecode 
>  wrote:
> 
> These look the same to me. Both versions place content into a variable. Is 
> the difference because of how the engine evaluates the input somehow?
> 
> --
> Jacqueline Landman Gay | jac...@hyperactivesw.com
> HyperActive Software | http://www.hyperactivesw.com
>> On March 30, 2018 11:04:54 AM Mark Waddingham via use-livecode 
>>  wrote:
>> 
>> Using do safely is the same as making database queries safe, or URL requests.
>> 
>> You 'just' need to make sure that any input from outside is sanitized to 
>> ensure that it doesn't change the meaning of the expression you are 'doing'.
>> 
>> For example, don't interpolate strings directly in the script using quotes, 
>> use a local var instead:
>> 
>> put user input into tVar1
>> do "put tVar1 into x" -- safe
>> 
>> Rather than
>> 
>> do "put " && quote & user input & quote && "into x" -- not safe
>> 
>> Warmest Regards,
>> 
>> Mark.
>> 
>> Sent from my iPhone
>> 
>> > On 30 Mar 2018, at 16:43, Tom Glod via use-livecode 
>> >  wrote:
>> >
>> > Dear Geniuses
>> >
>> > Sometimes late at night just before falling asleep I think about the
>> > dangers of the do command.  Is it possible to inject code into this
>> > mechanism through malware?
>> >
>> > I do not have enough understanding of operating systems and their processes
>> > ...and the livecode engineto be able to know if its a reasonable
>> > question or not.
>> >
>> > Thanks for any input on this.
>> > ___
>> > use-livecode mailing list
>> > use-livecode@lists.runrev.com
>> > Please visit this url to subscribe, unsubscribe and manage your 
>> > subscription preferences:
>> > http://lists.runrev.com/mailman/listinfo/use-livecode
>> 
>> 
>> ___
>> use-livecode mailing list
>> use-livecode@lists.runrev.com
>> Please visit this url to subscribe, unsubscribe and manage your subscription 
>> preferences:
>> http://lists.runrev.com/mailman/listinfo/use-livecode
> 
> 
> 
> 
> ___
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription 
> preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode


Re: do. command. safety. ?

2018-03-30 Thread J. Landman Gay via use-livecode
These look the same to me. Both versions place content into a variable. Is 
the difference because of how the engine evaluates the input somehow?


--
Jacqueline Landman Gay | jac...@hyperactivesw.com
HyperActive Software | http://www.hyperactivesw.com
On March 30, 2018 11:04:54 AM Mark Waddingham via use-livecode 
 wrote:



Using do safely is the same as making database queries safe, or URL requests.

You 'just' need to make sure that any input from outside is sanitized to 
ensure that it doesn't change the meaning of the expression you are 'doing'.


For example, don't interpolate strings directly in the script using quotes, 
use a local var instead:


put user input into tVar1
do "put tVar1 into x" -- safe

Rather than

do "put " && quote & user input & quote && "into x" -- not safe

Warmest Regards,

Mark.

Sent from my iPhone

> On 30 Mar 2018, at 16:43, Tom Glod via use-livecode 
 wrote:

>
> Dear Geniuses
>
> Sometimes late at night just before falling asleep I think about the
> dangers of the do command.  Is it possible to inject code into this
> mechanism through malware?
>
> I do not have enough understanding of operating systems and their processes
> ...and the livecode engineto be able to know if its a reasonable
> question or not.
>
> Thanks for any input on this.
> ___
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your 
subscription preferences:

> http://lists.runrev.com/mailman/listinfo/use-livecode


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your 
subscription preferences:

http://lists.runrev.com/mailman/listinfo/use-livecode





___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode


Re: do. command. safety. ?

2018-03-30 Thread Tom Glod via use-livecode
your point still applies about not being responsible that the user has
allowed malware onto their system.

On Fri, Mar 30, 2018 at 12:52 PM, Bob Sneidar via use-livecode <
use-livecode@lists.runrev.com> wrote:

> Ah I saw command in the subject and thought you were talking about shell
> commands.
>
> Bob S
>
>
> > On Mar 30, 2018, at 09:49 , Tom Glod via use-livecode <
> use-livecode@lists.runrev.com> wrote:
> >
> > Valid point Bob. Thank You.
> >
> > Useful info, Thanks Mark. I was doing it the right way sometimes. the
> > wrong way other times. thank you.
>
>
> ___
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>
___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode


Re: do. command. safety. ?

2018-03-30 Thread Bob Sneidar via use-livecode
Ah I saw command in the subject and thought you were talking about shell 
commands. 

Bob S


> On Mar 30, 2018, at 09:49 , Tom Glod via use-livecode 
>  wrote:
> 
> Valid point Bob. Thank You.
> 
> Useful info, Thanks Mark. I was doing it the right way sometimes. the
> wrong way other times. thank you.


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode


Re: do. command. safety. ?

2018-03-30 Thread Tom Glod via use-livecode
Valid point Bob. Thank You.

Useful info, Thanks Mark. I was doing it the right way sometimes. the
wrong way other times. thank you.

On Fri, Mar 30, 2018 at 12:02 PM, Mark Waddingham via use-livecode <
use-livecode@lists.runrev.com> wrote:

> Using do safely is the same as making database queries safe, or URL
> requests.
>
> You 'just' need to make sure that any input from outside is sanitized to
> ensure that it doesn't change the meaning of the expression you are 'doing'.
>
> For example, don't interpolate strings directly in the script using
> quotes, use a local var instead:
>
> put user input into tVar1
> do "put tVar1 into x" -- safe
>
> Rather than
>
> do "put " && quote & user input & quote && "into x" -- not safe
>
> Warmest Regards,
>
> Mark.
>
> Sent from my iPhone
>
> > On 30 Mar 2018, at 16:43, Tom Glod via use-livecode <
> use-livecode@lists.runrev.com> wrote:
> >
> > Dear Geniuses
> >
> > Sometimes late at night just before falling asleep I think about the
> > dangers of the do command.  Is it possible to inject code into this
> > mechanism through malware?
> >
> > I do not have enough understanding of operating systems and their
> processes
> > ...and the livecode engineto be able to know if its a reasonable
> > question or not.
> >
> > Thanks for any input on this.
> > ___
> > use-livecode mailing list
> > use-livecode@lists.runrev.com
> > Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> > http://lists.runrev.com/mailman/listinfo/use-livecode
>
>
> ___
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>
___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode


Re: do. command. safety. ?

2018-03-30 Thread Mark Waddingham via use-livecode
Using do safely is the same as making database queries safe, or URL requests.

You 'just' need to make sure that any input from outside is sanitized to ensure 
that it doesn't change the meaning of the expression you are 'doing'.

For example, don't interpolate strings directly in the script using quotes, use 
a local var instead:

put user input into tVar1
do "put tVar1 into x" -- safe

Rather than

do "put " && quote & user input & quote && "into x" -- not safe 

Warmest Regards,

Mark.

Sent from my iPhone

> On 30 Mar 2018, at 16:43, Tom Glod via use-livecode 
>  wrote:
> 
> Dear Geniuses
> 
> Sometimes late at night just before falling asleep I think about the
> dangers of the do command.  Is it possible to inject code into this
> mechanism through malware?
> 
> I do not have enough understanding of operating systems and their processes
> ...and the livecode engineto be able to know if its a reasonable
> question or not.
> 
> Thanks for any input on this.
> ___
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription 
> preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode


Re: do. command. safety. ?

2018-03-30 Thread Bob Sneidar via use-livecode
Any shell command that can do anything dangerous is typically protected by the 
host OS. You could not for example install software in a way that would bypass 
UAC in Windows. You *could* conceivably delete all the files in a folder I 
suppose, but you couldn't copy files to a protected location. Essentially 
anything the end user is capable of doing, LC can do, but this is not unique. 
You can say that about any application. If the IT department has given complete 
write access to everything to all their users (a common practice I am learning 
as I interact with our customer IT departments) then it's not up to LC to try 
to protect themselves from themselves. 

HTH
Bob S


> On Mar 30, 2018, at 08:43 , Tom Glod via use-livecode 
>  wrote:
> 
> Dear Geniuses
> 
> Sometimes late at night just before falling asleep I think about the
> dangers of the do command.  Is it possible to inject code into this
> mechanism through malware?
> 
> I do not have enough understanding of operating systems and their processes
> ...and the livecode engineto be able to know if its a reasonable
> question or not.
> 
> Thanks for any input on this.


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode