World: r3wp

blah: module [] [hidden hidden-stuff: "something you want" a: func 
[code /stuff] [stuff: hidden-stuff code]]
blah/a func [] [do something to get access to hidden-stuff]

OK, fine, an example that looks meaningful to you.

So, do I assume correctly, that I cannot examine the BLAH module 
to get the HIDDEN-STUFF value?

It's just a placeholder. If you have a PROTECT/hide exploit, that's 
interesting too but off-topic.

Does not matter, it is just an assumption, I am just asking whether 
you don't mind me making it.

Right. Let me make that more explicit:

import module [] [hidden hidden-stuff: "something you want" export 
a: func [code /stuff] [stuff: hidden-stuff code]]

In those circumstances a reference to :a is copied to lib/a, but 
there is no reference to the module saved except the PROTECT/hide 
reference to hidden-stuff in the block of :a.

Or rather it's copied to system/contexts/user/a, but the point remains 
the same.

Yes, OK. So, now, let me cite:


The reason for this is so that functions can prevent access to their 
context from leaking to code *that the function calls* that could 
be exploited while the function is running.
 - don't you see, that your purported reason fails?

Why it fails: because, even knowing the bound version of the 'stuff 
variable does not help me to get the HIDDEN-STUFF, so, the purported 
reason does not exist

a func [] [do something to get access to hidden-stuff]


The function a doesn't exclude functions from its arguments and it 
refers to its argument with a word rather than a get-word, so it 
can be tricked into running code while it is running. That means 
its context is valid while the exploit code is running.

So, once again, your example demonstrating the existence of the (purported 
and nonexistent) reason failed.

The 'stuff word isn't hidden, but it isn't leaked while the function 
is running. That means that the exploit code only has access to the 
:a function value.

So, come up with some exploit code (that doesn't use STACK because 
we're assuming SECURE 'debug works). This is a real problem.

Do I understand correctly, that this is what you propose as demonstrating 
the reason for the functions not being accepted by BIND?

a: func [] [do something to get access to hidden-stuff]

No, you added a : there. The function is being passed to a as an 
argument.

aha, sorry, now I see.

a func [] [print get bind 'stuff :a]

I had to go though the mezzanine code pretty carefully to consider 
what happens when functions are passed as arguments to the mezzanine 
functions. Some functions like REPLACE and ARRAY were modified to 
take advantage of that trick pretty nicely.

OK, but nothing of that kind applies to the case of BIND [...] 'some-variable

True, which is why I was convinced by that particular argument :)

then the ban on BIND to a function-context-bound word when the function 
isn't running has no security benefit
 :)

Yes, it only prevents some meaningful uses

Especially ones where the bound words are leaked intentionally to 
provide access to the context. It sounds worthy of a wish ticket 
in CureCode.

Unfortunately, the whole issue may be quite long to present completely

I'll write it up, if it's OK to copy some of your arguments from 
above into the ticket.

Anything

So, for the case of BIND [...] function the main difference is, that 
it cannot be done regardless of whether the function is running or 
not, which can be considered a security measure, then.

Yup. And BODY-OF returning an unbound copy prevents code like this:
	print get second body-of :a

PROTECT/hide doesn't affect existing bindings, so you need to be 
careful about leaking those too.

Initial version of the ticket made: http://issue.cc/r3/1893

Supporting comment added.

would it not be practical if REMOVE-EACH could /SKIP ?

nevermind. please ignore request.

remove-each [value skip] my-block [...]

ladislav, yes, saw it just now. :-)

The only function in R3 that operates that way is TRANSCODE, so as 
long as it doesn't choke on overlong combinations

#{c0ae} is an overlong encoding for #"." (#{2e}).

>> invalid-utf? #{c0ae}
== #{C0AE}

>> transcode #{c0ae}
== [® #{}]

>> transcode #{2e}
== [. #{}]

So for words, transcode is behaving strange. On the other hand, for 
strings ({"} is #{22}):

>> transcode #{22c0ae22}
== ["." #{}]

So, on R3 INVALID-UTF? flags overlong encodings? Sorry I missed that. 
Better fix the R2/Forward version accordingly.

No, it doesn't.

And we could use a ticket for the TRANSCODE bugs.

Or at least, it behaves the same as in R2.

INVALID-UTF? returns the series at the position of the first invalid 
sequence. If it doesn't flag it returns none.

If it is returning anything other than none for an overlong form, 
it is screening for overlong forms.

It is only in this particular case.

Other overlong forms are not being screened for, but one form is? 
That would also be worth a ticket.

No, that's nothing to do with overlong forms, but with PARSE in combination 
with bitsets being broken.

Which definitely is worth a ticket.

>> parse/all #{f0} reduce [charset [#{d0}]]
== true

I'm talking about the R3 version, which is a native that doesn't 
use PARSE. Do you think it's a related bug?

Mixed up R2 and R3 here.