[REBOL] Re: [bug?] Problem with 'load
From: nitsch-lists:netcologne at: 28-Nov-2003 23:51
Am Freitag, 28. November 2003 19:50 schrieb [SunandaDH--aol--com]:
> Thanks to everyone who contributed responses.
>
> I've now updated REBOL.org to use Romano's load-header script rather than a
> direct load/all/header in all the places (lots!) we load a header to get
> values about a script.
>
> This was a potentially damaging integrity exposure (my old-timer IBMese for
> hackable security flaw) in the Library.....
>
If we use /core 2.5.6, then not.
this is oold /view 1.2.1:
>> load "rebol[print {hehe}]"
hehe
== [
]
and this core 2.5.6:
>> load "rebol[print {hehe}]"
== [
]
IIRC its mentioned somewhere in the /core change-log.
> .....Any one could have inserted active code in a header and contributed it
> as a script. That code would have been executed on the server when we did
> the load/header. The result could have been nasty.
>
> This remains a potential danger for any REBOL-based CGI site that loads
> headers of contributed code in the old manner.....If you have such a site,
> please check your code and see if you need to replace load/header with
> Romano's script.
>
> I'm impressed (as usual) with the usefulness of this ML and the helpfulness
> of the people on it. Less than 24 hours from reporting a problem to having
> a fix available. Outstanding, everyone!!
>
> Thanks everyone again!
> Sunanda.
-Volker
