The question is exactly what did you type into the field ? It's unclear
whether the quotes in your email are part of the email, or part of the
field content.
Here's a case that definitely shows the difference:
button "Button"
on mouseup
localtVar, tX
do"put "&& quote& thetextoffld1& quote&& "into tx"
put"now tx="&& tX &CRaftermsg
end mouseup
and button "safe"
on mouseup
localtVar, tX
putfld1intotVar
do"put tVar into tX"
put"now tx="&& tX &CRaftermsg
end mouseup
and into the field I typed
1+2+3" into tt;set the backcolor of btn 1 to blue;put "
Clicking button 'safe' gives
now tx= 1+2+3" into tt;set the backcolor of btn 1 to blue;put "
after the msg box; and repeated clicks there produce extra lines all the
same.
Clicking button 'button' gives
now tx=
in the msgbox, and the button color changes.
So the embedded command within the field is being executed.
-- Alex.
On 31/03/2018 20:03, J. Landman Gay via use-livecode wrote:
At the risk of appearing to be obtuse...I tried both versions of the
"do" and got the same results. In each case, the variable was
populated but no code was executed. In a test stack with one field and
one button, I entered ";set the backcolor of btn 1 to blue;put ". In
the button script I tried both versions of your example (substituting
"fld 1" for "user input".) I also tried it without the semicolons and
extra "put " at the end.
In each case the variable x contained "set the backcolor of btn 1 to
blue" and the button did not change color.
I am quite sure you are right, but could you provide an example where
the embedded command would actually execute?
On 3/30/18 7:06 PM, Mark Waddingham via use-livecode wrote:
The user input was indirected through a variable in the safe version
- not made part of the do string... That's the critical difference.
The unsafe version allows user input to change the do'd code, the
safe version only changes the content of a variable the do string uses.
Warmest Regards,
Mark.
Sent from my iPhone
On 30 Mar 2018, at 19:24, J. Landman Gay via use-livecode
<use-livecode@lists.runrev.com> wrote:
Well yes, but as Bob mentioned, wouldn't a variable do the same thing?
put ";delete hard drive;put " into x
do x
vs:
do "put " && quote & ";delete hard drive;put " & quote && "into x"
This actually came up way back in MetaCard where it was pointed out
that the engine was about as secure as it gets as long as you
validate all user input when using "do" or (I think) "value". In the
first example above, input needs to be examined before the "do"
command is issued. So I think there's a line or two missing in there
somewhere. ;)
On 3/30/18 12:15 PM, Mark Waddingham via use-livecode wrote:
Think about the string that can be constructed in the quoted
version - user input could be "; ...;put " where ... is any code
you would like...
Sent from my iPhone
On 30 Mar 2018, at 18:09, J. Landman Gay via use-livecode
<use-livecode@lists.runrev.com> wrote:
These look the same to me. Both versions place content into a
variable. Is the difference because of how the engine evaluates
the input somehow?
--
Jacqueline Landman Gay | jac...@hyperactivesw.com
HyperActive Software | http://www.hyperactivesw.com
On March 30, 2018 11:04:54 AM Mark Waddingham via use-livecode
<use-livecode@lists.runrev.com> wrote:
Using do safely is the same as making database queries safe, or
URL requests.
You 'just' need to make sure that any input from outside is
sanitized to ensure that it doesn't change the meaning of the
expression you are 'doing'.
For example, don't interpolate strings directly in the script
using quotes, use a local var instead:
put user input into tVar1
do "put tVar1 into x" -- safe
Rather than
do "put " && quote & user input & quote && "into x" -- not safe
Warmest Regards,
Mark.
Sent from my iPhone
On 30 Mar 2018, at 16:43, Tom Glod via use-livecode
<use-livecode@lists.runrev.com> wrote:
Dear Geniuses
Sometimes.... late at night just before falling asleep I think
about the
dangers of the do command. Is it possible to inject code into this
mechanism through malware?
I do not have enough understanding of operating systems and
their processes
...and the livecode engine....to be able to know if its a
reasonable
question or not.
Thanks for any input on this.
_______________________________________________
--
Jacqueline Landman Gay | jac...@hyperactivesw.com
HyperActive Software | http://www.hyperactivesw.com
_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your
subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your
subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode