On Wed, 06 Jan 2010, Szak�ts Viktor wrote:
> Too smoothen the security edge of this feature,
> maybe it would be nice to allow to limit the set
> of functions made available through RPC on the
> server side. This way programmer could have total
> control over this aspect without worrying about
> function being linked without knowledge or intent,
> and keep verifying .map files to find out.
Any limits by function list are usually very easy to exploit.
As long as you do not plan to give access to some very small
set of functions then sooner or later hacker find a way to
pass some string to macrocompiler and make what he only wants
i.e. if you allow to execute ordListAdd() then he can create
index file with key expression having functions you wanted to
block, etc. Such things has to be resolved inside HVM. See
information I left about it in xhb-diff.txt at the end of
NAMESPACEs section.
Now instead of implementing feature which gives rather illusion
of security instead of real protection I suggest to add very
simply extension. User function which can be registered in
NETIO socket and executed instead of really requested functions
so if user thinks that such list is enough for him then he can
make sth like:
static s_funcLst := { "STR"=>, "DATE"=>, "TIME"=> }
func mywrapper( sFunc, ... )
if sFunc:name $ s_funcLst
return sFunc:exec( ... )
endif
return nil
best regards,
Przemek
_______________________________________________
Harbour mailing list (attachment size limit: 40KB)
Harbour@harbour-project.org
http://lists.harbour-project.org/mailman/listinfo/harbour
