I use INTERPRET here and there, but pretty rarely. About the only program with
it that I use all the time is something I call "EV" (for "evaluate), that acts
as a sort of ad-hoc calculator:
parse arg v1
interpret 'v2='v1
say v1'='v2
Thus I can say on any ISPF command line "tso ev 228/15" and learn how many
cylinders that dataset is. Or "tso ev mvsvar('SYSNAME')" to look at the local
node name. Or "tso ev xxx(45)" to test a new external REXX function.
But I keep thinking about the possibilities for malice in any tool I write for
public use, and worry about it. I can't think of any examples, because as
Itschak points out below, it's always going to run under the perpetrator's own
ID, so INTERPRET isn't giving him any capabilities he doesn't already have.
Can anyone point me to an example of how this would become a Bad Thing? I'm
really curious.
---
Bob Bridges, [email protected], cell 336 382-7313
/* Here is one of the great ironies of contemporary feminism: Elite young women
these days take their cues about how to behave primarily from unmarried (and
therefore adolescent) males. -Maggie Gallagher, 2002-05-20 */
-----Original Message-----
From: IBM Mainframe Discussion List <[email protected]> On Behalf Of
ITschak Mugzach
Sent: Monday, September 13, 2021 09:43
Why hijack? Right your own code. Anyway, it runs under your user…
We switched some of interpret commands to value since the sending field was
larger than 256 bytes. Value don’t care.
--- בתאריך יום ב׳, 13 בספט׳ 2021 ב-16:35 מאת Gary Freestone <[email protected]
> A few years back I switched from INTERPRET to VALUE due to concerns I
> had from a security perspective.
>
> Value only performs an evaluation and assigns it to a variable.
> Interpret lets you do any thing.
>
> Say for example in your sample code. If I could hijack you code and
> adding a single line to the REXX I could issue a JES2 command. The
> line is
>
> def=';x=isfcalls(on);address sdsf "isfexec /$DI";istr="DEF";say "DEF" '
>
> Sure this case its just a harmless $DI but it could be anything. The
> only difference in the output is an example blank line.
>
> Sent from Mail for Windows
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
