The user input was indirected through a variable in the safe version - not made 
part of the do string... That's the critical difference.

The unsafe version allows user input to change the do'd code, the safe version 
only changes the content of a variable the do string uses.

Warmest Regards,

Mark.

Sent from my iPhone

> On 30 Mar 2018, at 19:24, J. Landman Gay via use-livecode 
> <use-livecode@lists.runrev.com> wrote:
> 
> Well yes, but as Bob mentioned, wouldn't a variable do the same thing?
> 
>  put ";delete hard drive;put " into x
>  do x
> 
> vs:
> 
>  do "put " && quote & ";delete hard drive;put " & quote && "into x"
> 
> This actually came up way back in MetaCard where it was pointed out that the 
> engine was about as secure as it gets as long as you validate all user input 
> when using "do" or (I think) "value". In the first example above, input needs 
> to be examined before the "do" command is issued. So I think there's a line 
> or two missing in there somewhere. ;)
> 
> 
>> On 3/30/18 12:15 PM, Mark Waddingham via use-livecode wrote:
>> Think about the string that can be constructed in the quoted version - user 
>> input could be "; ...;put " where ... is any code you would like...
>> Sent from my iPhone
>>> On 30 Mar 2018, at 18:09, J. Landman Gay via use-livecode 
>>> <use-livecode@lists.runrev.com> wrote:
>>> 
>>> These look the same to me. Both versions place content into a variable. Is 
>>> the difference because of how the engine evaluates the input somehow?
>>> 
>>> --
>>> Jacqueline Landman Gay | jac...@hyperactivesw.com
>>> HyperActive Software | http://www.hyperactivesw.com
>>>> On March 30, 2018 11:04:54 AM Mark Waddingham via use-livecode 
>>>> <use-livecode@lists.runrev.com> wrote:
>>>> 
>>>> Using do safely is the same as making database queries safe, or URL 
>>>> requests.
>>>> 
>>>> You 'just' need to make sure that any input from outside is sanitized to 
>>>> ensure that it doesn't change the meaning of the expression you are 
>>>> 'doing'.
>>>> 
>>>> For example, don't interpolate strings directly in the script using 
>>>> quotes, use a local var instead:
>>>> 
>>>> put user input into tVar1
>>>> do "put tVar1 into x" -- safe
>>>> 
>>>> Rather than
>>>> 
>>>> do "put " && quote & user input & quote && "into x" -- not safe
>>>> 
>>>> Warmest Regards,
>>>> 
>>>> Mark.
>>>> 
>>>> Sent from my iPhone
>>>> 
>>>>> On 30 Mar 2018, at 16:43, Tom Glod via use-livecode 
>>>>> <use-livecode@lists.runrev.com> wrote:
>>>>> 
>>>>> Dear Geniuses
>>>>> 
>>>>> Sometimes.... late at night just before falling asleep I think about the
>>>>> dangers of the do command.  Is it possible to inject code into this
>>>>> mechanism through malware?
>>>>> 
>>>>> I do not have enough understanding of operating systems and their 
>>>>> processes
>>>>> ...and the livecode engine....to be able to know if its a reasonable
>>>>> question or not.
>>>>> 
>>>>> Thanks for any input on this.
>>>>> _______________________________________________
> 
> 
> -- 
> Jacqueline Landman Gay         |     jac...@hyperactivesw.com
> HyperActive Software           |     http://www.hyperactivesw.com
> 
> _______________________________________________
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription 
> preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode


_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Reply via email to