load and mold/all security issue

binding against global context would be a problem. someone sends you data. you load it. you expect something like o: context [ a: 1 b: 2] you code "do-something-with o/a" somebody sends you o: context[ a: 1 b: func[][ take-over-system ] ] ..

-Volker

Doing a loaded program cannot be sure. The same can happen with

o: [ take-over-system] if you do it in a way or in another: do o context o do does o What you say would be true only if no word would be binded to the global context, but this happens only with functions and object. I understand that a word cannot be serialized in every situaltion, but i think that it should be or binded to a serialized upper level context o to the global context. Until yesterday i thought that mold/all was a more general version of mold, but now i am convinced hat it is a different tool, which can be used only to serialize a speficic kind of Rebol data (no words). I also ask why to serialize a function which cannot be used like a function. If only security is the target, mold/all should not serialize any function at all. I also ask why words in blocks are binded and not word in objects or functions. --- Ciao Romano

no, i don't do the block. i only access fields. !>> data: load mold/all reduce[context[x: 1 y: 2] context[x: 2 y: 3]] == [ make object! [ x: 1 y: 2 ] make object! [ x: 2 y: 3 ]] i like this. i get data from a client, i can access !>> data/1/x == 1 !>> data/2/x == 2 I can even have nested objects. i don't want to execute code of course. so if someone sends !>> data: load mold/all reduce[context[x: func[][print "Yup"] y: 2] context[x: 2 y: 3]] == [ make object! [ x: func [][print "Yup"] y: 2 ] make object! [ x: 2 y: 3 ]]

** Script Error: print word has no context ** Where: x ** Near: print "Yup" see? no do, only field-access. but the function gets executed. if it would be bound to global context, it would say "Yup". And could contain more malicious code than a print. If you use this for communication betwen /view-client and cgi and i edit the client, my server. So i could not use save/all with messages i get. i can because no words are bound. without mold/all binding to global is ok. because you cannot create "hot" code. you can only send the function in pieces. [ func [] [print "Yup"] ] which is not the function, only the words to create one. (that is, with newer rebols. the released /core is save, the /view-beta too. with old but official /view 1.2.1 there are some tricks based on hot values and executable headers. use load/all for headers there and access values always with :value instead of "value" so it will not be executed.) I may be a bit paranoid in this security array, seeing the verify-level of "worlds most dominant best os". Has the drawback some things are blocked, like mold/all and functions, or file-access sometimes. but its so cool not to think much about data-encoding.. and a "secure[file quit %save-dir/ allow %readonly-dir/ [allow read]]" in cgi-scripts protects against filename-exploits.

never 'do untrusted data. if you don't do, words are not executable. but functions are. Assign them to a variable and use it, access them by a path.. but they can not contain working code, only give errors.

mold/all is meant for data. without /all, some values are encoded by words and need execution. !>> type? none == none! in a script its no problem, none gets executed, "make object[..]" gets executed. but in data send by someone, i don't like execution. but !>> type? load mold none == word! ;wrong, so !>> type? do load mold none == none! ;right, but do this only with trusted data. now we use !>> type? load mold/all none == none! ;right :) also string-series are safer encoded. !>> load mold to-email "space inside" ** Syntax Error: Invalid word -- space inside ** Near: (line 1) space inside !>> load probe mold to-email "space inside" space inside ** Syntax Error: Invalid word -- space inside ** Near: (line 1) space inside !>> load probe mold/all to-email "space inside" {#[email! "space inside"]} == space inside !>> type? load mold/all to-email "space inside" == email!

Confuses me too. I guess: the words can not be executed automatically. so it does not matter. but one can put a function-pack in the data. !>> a: mold/all [ [context[f: func[][print "yup"]] ]] == {[[context [f: func [] [print "yup"]]]]} !>> b: load a == [[context [f: func [] [print "yup"]]]] !>> c: do first b !>> c/f yup So one can put a password or something in the data, load, verify password and execute code. !>> a: mold/all [ password "grttldp" code [func[][print "yup"]] ] == {[password "grttldp" code [func [] [print "yup"]]]} !>> b: load a == [password "grttldp" code [func [] [print "yup"]]] !>> if "grttldp" = b/password[f: do b/code f] yup and under attack:

== {[password #[function! [][print "got you!"]] code []]}

== [password func [][print "got you!"] code []]

** Script Error: print word has no context ** Where: password ** Near: print "got you!" :-) isn't that subtle? ;) (Now if loading it would be more stable. Gabriele noted problems)

(Hope its readable) Ciao -Volker

good point!

yes :-) --- Ciao Romano