[REBOL] Load vs Load/All
From: sanghabum::aol::com at: 26-Aug-2001 13:39
Hi there,
Jeff (I think) in Zine/4 writes:
====
In fact, LOAD/all is the safest LOAD and you should use it when ever LOADing
a string or file from an untrusted source (like CGI, for instance).
<snip>
LOAD/all will always give you a block where as LOAD will give you a single
item if there is only one item. LOAD/all always produces a block as a
convenience because it is the "paranoid" LOAD. Whatever you give LOAD/all, it
always gives you an unevaluated block of that thing. So if you do:
error? try [load/all some-random-string]
you can't go wrong. LOAD/all you can.
====
That's good advice, and it showed me how i had a security flaw in my
code...Just doing a Load on a CGI field is a route to an immediate shutdown
if the field contains "Rebol [Quit]".
But it seems to be a ticking timebomb .... Each Load/All uses up (at least)
one entry in System/words -- e.g.
loop 2000 [
load/all join "A" [Random 50000]
print length? first system/words
]
When First System/words hits 4095 (or thereabouts: I believe the number
differs across systems), my 24x7 application goes down like a Microsoft
server.
I'm using Load/All to convert a untrusted string into a date or decimal or
string. Does anyone have a workaround for its unwanted behavior? Or am I
writing the function 'ConvertUntrusted ?
--Thanks,
--Colin.
