r3wp [groups: 83 posts: 189283]
  • Home
  • Script library
  • AltME Archive
  • Mailing list
  • Articles Index
  • Site search
 

World: r3wp

[!REBOL3]

BrianH
5-May-2011
[8433]
pretend something is more secure than it actually is

 - the biggest security concern of R3 is making sure that outside 
 code can't modify the code of functions.


There are various tricks that can be done in order to make sure that 
doesn't happen (putting calls to function values in parens, APPLY, 
SECURE 'debug). DO of blocks and parens don't need the APPLY or DO 
in a paren tricks in order to make sure they can't modify the calling 
code because they can't take parameters, so you can DO blocks and 
parens without changes to your source code - SECURE 'debug doesn't 
require changes to source code. This means that less effort is needed 
to make DO of blocks or parens more secure than DO of functions that 
can take parameters. The same goes for DO of any non-function type.


If you constrain DO of paths or words with functions assigned to 
them to not be able to take parameters, then they would be exactly 
as secure as DO of blocks or parens, and can be called with the same 
code - no additional code wrappers or screening would be needed. 
This would make DO of words or paths a drop in substitute for DO 
of blocks or parens.
Ladislav
5-May-2011
[8434]
Would that be acceptable to you?
 - I found out, that everyone except you is against it
BrianH
5-May-2011
[8435]
No, you found that out about functions, not blocks.
Ladislav
5-May-2011
[8436]
or, maybe not, we should make another poll
BrianH
5-May-2011
[8437x2]
Remember, having it evaluate blocks and parens like that would make 
it not consistent with how words and paths are treated when evaluated 
inline.
Consistency was the biggest argument you had for the treatment of 
word values with functions assigned to them.
Ladislav
5-May-2011
[8439]
Well, it looks, that

    do 'a ; == (1 + 2)

may be more convenient
BrianH
5-May-2011
[8440]
Cool.
Ladislav
5-May-2011
[8441x3]
(not that I intend to use it frequently)
It is interesting, that for the case:

    lit-word: first ['a]
    do [type? lit-word]

we have only two opinions
currently, and both prefer the lit-word! datatype as the result
BrianH
5-May-2011
[8444x3]
That isn't what you said in #1434 - you said that you would prefer 
getting the word! type.
I'm more concerned with people trying to sneak functions into data, 
which could then use parameters to get access to the original code 
of another function. This can be used for code injection, or for 
getting access to bound words that have since been hidden, or to 
internal contexts. Given that words are often valid data, having 
a special case where they can execute functions by sneaking in a 
bound word is a real concern. However, if that function can't take 
parameters, there is no hacking potential and function code can be 
secure. The workaround if you don't want any functions executed (beyond 
the hacking) could be to unbind words retrieved from data, bind them 
to a known context, or just avoid using DO word or path altogether.
As for #1434 (and your most recent code example), I would prefer 
to have lit-words and lit-paths be consistently active values (the 
way lit-words are in R3 now) for the same reasons you proposed #1881 
and #1882. This means having them convert to word and path when they 
are evaluated instead of just gotten. But if you would prefer them 
to be a special case like parens (the way lit-paths are in R3 now), 
that would work for me too as long as that is the case for both lit-words 
and lit-paths - it would make them a little easier to work with.
Maxim
5-May-2011
[8447]
I'd prefer lit words to be "dead", its so much pain to preserve lit-words 
within datasets.  I've often had "word has no value" errors when 
building data blocks for dialects or datasets which are being manipulated 
one way or another .
BrianH
5-May-2011
[8448]
I meant the "you" in "if you would prefer" to be the collective "you", 
the consensus opinion, not necessarily that of you in particular, 
Ladislav :)
Maxim
5-May-2011
[8449]
;-)
BrianH
5-May-2011
[8450]
If lit-words are turned into a special case, being otherwise inactive 
(like lit-paths are now), that would work for me. Though normally 
we would want lit-words to be converted to words, if the #1882 change 
to word evaluation goes through, that would mean that lit-words could 
change to words which could execute functions. If that kind of thing 
could happen, I would rather it happen through explicit conversions 
so you can see it in the code.
Ladislav
5-May-2011
[8451x3]
in #1434 I did not say anything about my preferences
I just asked whether a note about "incosistency" contained in there 
was appropriate
not to mention, that the example here is not the example in #1434
BrianH
5-May-2011
[8454]
I guess I had trouble parsing this sentence:

I do *not* propose the result of 

do quote 'a 

to be a lit-word, 
since the word really looks reasonable to me.


That seemed to be a preference for lit-words converting to words 
in that case, though I may have misinterpreted that.
Ladislav
5-May-2011
[8455]
in my opinion, the behaviour of

    do quote 'a

expression is something else than the behaviour of the

    lit-word: first ['a]
    do [type? lit-word]

example
BrianH
5-May-2011
[8456x2]
Whether or not there is going to be a difference between inline evaluation 
of lit-words and evaluation of lit-word values, evaluation of lit-word 
values needs to be consistent whether you do so by referring to them 
with an inline word, or through explicit DO. R2's behavior is a bug.
The choice is between having behavior like what R3's lit-words do 
now (fully active), or what R3's lit-paths do now (special case for 
inline evaluation, otherwise inactive).
Ladislav
5-May-2011
[8458]
Once again that "consistent" word. There is the main difference. 
I do not think you can call "inconsistency" any difference in the 
evaluation of the former and the latter expression, since the former 
expression is about handling lit-words as arguments of the DO function, 
while the latter is about handling words as inline block values, 
when they refer to lit-words.
BrianH
5-May-2011
[8459]
I've been using the terms inline evaluation for having the value 
inline in the code, regular evaluation for when the value is referred 
to through an inline word, and explicit evaluation for when the value 
is passed to DO directly. If the first is to be different, the latter 
two need to be consistent with each other, same as with parens.
Ladislav
5-May-2011
[8460x4]
I intendedly coined the terms

active value

 to refer to a value that when encountered inline in a block does 
 not evaluate to itself
word-active value
 to refer to how a word is evaluated when referring to a value
These two cannot be "consistent" nor "inconsistent"
for example, parens are active, but they are word-inactive
(which is conveinient)
BrianH
5-May-2011
[8464x2]
OK. There is stuff like functions, and these are called "active values" 
- they behave consistently for inline, regular or explicit evaluation. 
There is stuff like parens, which behave one way for inline, and 
a different way for regular or explicit evaluation - what term would 
you like to use to refer to this pattern with? Because those are 
the only two choices that would make sense with lit-words and lit-paths.
Maxim apparently prefers that lit-words and lit-paths act like parens, 
and so does Geomol. I would be OK with that model.
Ladislav
5-May-2011
[8466]
I prefer that as well
BrianH
5-May-2011
[8467]
Then please say so in a comment to #1434, so we can have a consensus 
recorded :)
Ladislav
5-May-2011
[8468]
OK, I will try
BrianH
5-May-2011
[8469x2]
Then I can change the "should be" comments in the ticket example 
code accordingly :)
The proposed model is something like this:
>> 'a/1 
== a/1 ; inline evaluation of lit-path converts to path 
>> b: quote 'a/1 
== 'a/1 
>> b 

== 'a/1 ; regular evaluation of lit-path value does not convert to 
path 
>> do :b 

== 'a/1 ; explicit evaluation of lit-path value does not convert 
to path


So it's not exactly like parens, but it's what Maxim, Geomol and 
I would prefer.
Ladislav
5-May-2011
[8471]
Your terminology:

inline evaluation
regular evaluation
and
explicit evaluation


is acceptable for me (although I am not sure about the "regular evaluation", 
isn't there a chance to find a better notion?)
BrianH
5-May-2011
[8472]
I hope so - that term seems to need too much explanation.
Ladislav
5-May-2011
[8473]
how about "indirect evaluation"?
BrianH
5-May-2011
[8474]
implicit?
Ladislav
5-May-2011
[8475x3]
(there is a level of idirection, since an evaluated word refers to 
a value)
so, my preferred would be "indirect evaluation"
But, again, we actually can see two kinds of indirect evaluation:

Inline indirect evaluation
, or "explicit indirect evaluation"
BrianH
5-May-2011
[8478x2]
Sure. The reason I called it "regular" is because a word! has no 
markings, either in terms of characters added to the syntax, or qualifiers 
added to the type name. This implies that word! evaluation is the 
default, or the regular style, while the others are exceptional.
:a evaluation is inline too, so "inline indirect evaluation" could 
apply to that.
Ladislav
5-May-2011
[8480]
Why I hesitated to write my preferences regarding indirect evaluation 
of lit-words was, that I felt the #1434 ticket was more about the 
explicit evaluation
BrianH
5-May-2011
[8481x2]
The #1434 ticket is about making lit-word and lit-path consistent 
with each other, and about documenting some of the intentional changes 
from R2.
Are you OK with this, Ladislav?
>> 'a/1 
== a/1 
>> b: quote 'a/1  b 
== 'a/1 
>> do quote 'a/1 
== 'a/1

Or do you require this?
>> do quote 'a/1 
== a/1