Well yes, but as Bob mentioned, wouldn't a variable do the same thing?
put ";delete hard drive;put " into x
do x
vs:
do "put " && quote & ";delete hard drive;put " & quote && "into x"
This actually came up way back in MetaCard where it was pointed out that
the engine was about as secure as it gets as long as you validate all
user input when using "do" or (I think) "value". In the first example
above, input needs to be examined before the "do" command is issued. So
I think there's a line or two missing in there somewhere. ;)
On 3/30/18 12:15 PM, Mark Waddingham via use-livecode wrote:
Think about the string that can be constructed in the quoted version - user input could
be "; ...;put " where ... is any code you would like...
Sent from my iPhone
On 30 Mar 2018, at 18:09, J. Landman Gay via use-livecode
<use-livecode@lists.runrev.com> wrote:
These look the same to me. Both versions place content into a variable. Is the
difference because of how the engine evaluates the input somehow?
--
Jacqueline Landman Gay | jac...@hyperactivesw.com
HyperActive Software | http://www.hyperactivesw.com
On March 30, 2018 11:04:54 AM Mark Waddingham via use-livecode
<use-livecode@lists.runrev.com> wrote:
Using do safely is the same as making database queries safe, or URL requests.
You 'just' need to make sure that any input from outside is sanitized to ensure
that it doesn't change the meaning of the expression you are 'doing'.
For example, don't interpolate strings directly in the script using quotes, use
a local var instead:
put user input into tVar1
do "put tVar1 into x" -- safe
Rather than
do "put " && quote & user input & quote && "into x" -- not safe
Warmest Regards,
Mark.
Sent from my iPhone
On 30 Mar 2018, at 16:43, Tom Glod via use-livecode
<use-livecode@lists.runrev.com> wrote:
Dear Geniuses
Sometimes.... late at night just before falling asleep I think about the
dangers of the do command. Is it possible to inject code into this
mechanism through malware?
I do not have enough understanding of operating systems and their processes
...and the livecode engine....to be able to know if its a reasonable
question or not.
Thanks for any input on this.
_______________________________________________
--
Jacqueline Landman Gay | jac...@hyperactivesw.com
HyperActive Software | http://www.hyperactivesw.com
_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode