World: r3wp
[!REBOL3]
| older newer | first last |
| BrianH 9-Oct-2011 [9690] | a func [] [do something to get access to hidden-stuff] The function a doesn't exclude functions from its arguments and it refers to its argument with a word rather than a get-word, so it can be tricked into running code while it is running. That means its context is valid while the exploit code is running. |
| Ladislav 9-Oct-2011 [9691] | So, once again, your example demonstrating the existence of the (purported and nonexistent) reason failed. |
| BrianH 9-Oct-2011 [9692x2] | The 'stuff word isn't hidden, but it isn't leaked while the function is running. That means that the exploit code only has access to the :a function value. |
So, come up with some exploit code (that doesn't use STACK because we're assuming SECURE 'debug works). This is a real problem. | |
| Ladislav 9-Oct-2011 [9694] | Do I understand correctly, that this is what you propose as demonstrating the reason for the functions not being accepted by BIND? a: func [] [do something to get access to hidden-stuff] |
| BrianH 9-Oct-2011 [9695] | No, you added a : there. The function is being passed to a as an argument. |
| Ladislav 9-Oct-2011 [9696] | aha, sorry, now I see. |
| BrianH 9-Oct-2011 [9697x2] | a func [] [print get bind 'stuff :a] |
I had to go though the mezzanine code pretty carefully to consider what happens when functions are passed as arguments to the mezzanine functions. Some functions like REPLACE and ARRAY were modified to take advantage of that trick pretty nicely. | |
| Ladislav 9-Oct-2011 [9699] | OK, but nothing of that kind applies to the case of BIND [...] 'some-variable |
| BrianH 9-Oct-2011 [9700x2] | True, which is why I was convinced by that particular argument :) |
then the ban on BIND to a function-context-bound word when the function isn't running has no security benefit :) | |
| Ladislav 9-Oct-2011 [9702] | Yes, it only prevents some meaningful uses |
| BrianH 9-Oct-2011 [9703] | Especially ones where the bound words are leaked intentionally to provide access to the context. It sounds worthy of a wish ticket in CureCode. |
| Ladislav 9-Oct-2011 [9704] | Unfortunately, the whole issue may be quite long to present completely |
| BrianH 9-Oct-2011 [9705] | I'll write it up, if it's OK to copy some of your arguments from above into the ticket. |
| Ladislav 9-Oct-2011 [9706x2] | Anything |
So, for the case of BIND [...] function the main difference is, that it cannot be done regardless of whether the function is running or not, which can be considered a security measure, then. | |
| BrianH 9-Oct-2011 [9708] | Yup. And BODY-OF returning an unbound copy prevents code like this: print get second body-of :a PROTECT/hide doesn't affect existing bindings, so you need to be careful about leaking those too. |
| BrianH 10-Oct-2011 [9709] | Initial version of the ticket made: http://issue.cc/r3/1893 |
| Ladislav 10-Oct-2011 [9710] | Supporting comment added. |
| Henrik 11-Oct-2011 [9711x2] | would it not be practical if REMOVE-EACH could /SKIP ? |
nevermind. please ignore request. | |
| Ladislav 11-Oct-2011 [9713] | remove-each [value skip] my-block [...] |
| Henrik 11-Oct-2011 [9714] | ladislav, yes, saw it just now. :-) |
| Andreas 12-Oct-2011 [9715x2] |
The only function in R3 that operates that way is TRANSCODE, so as
long as it doesn't choke on overlong combinations
#{c0ae} is an overlong encoding for #"." (#{2e}).
>> invalid-utf? #{c0ae}
== #{C0AE}
>> transcode #{c0ae}
== [® #{}]
>> transcode #{2e}
== [. #{}]
|
So for words, transcode is behaving strange. On the other hand, for
strings ({"} is #{22}):
>> transcode #{22c0ae22}
== ["." #{}]
| |
| BrianH 12-Oct-2011 [9717] | So, on R3 INVALID-UTF? flags overlong encodings? Sorry I missed that. Better fix the R2/Forward version accordingly. |
| Andreas 12-Oct-2011 [9718] | No, it doesn't. |
| BrianH 12-Oct-2011 [9719] | And we could use a ticket for the TRANSCODE bugs. |
| Andreas 12-Oct-2011 [9720] | Or at least, it behaves the same as in R2. |
| BrianH 12-Oct-2011 [9721x2] | INVALID-UTF? returns the series at the position of the first invalid sequence. If it doesn't flag it returns none. |
If it is returning anything other than none for an overlong form, it is screening for overlong forms. | |
| Andreas 12-Oct-2011 [9723] | It is only in this particular case. |
| BrianH 12-Oct-2011 [9724] | Other overlong forms are not being screened for, but one form is? That would also be worth a ticket. |
| Andreas 12-Oct-2011 [9725x3] | No, that's nothing to do with overlong forms, but with PARSE in combination with bitsets being broken. |
Which definitely is worth a ticket. | |
>> parse/all #{f0} reduce [charset [#{d0}]]
== true
| |
| BrianH 12-Oct-2011 [9728] | I'm talking about the R3 version, which is a native that doesn't use PARSE. Do you think it's a related bug? |
| Andreas 12-Oct-2011 [9729x2] | Mixed up R2 and R3 here. |
The above is a bug in R3, in any case. | |
| BrianH 12-Oct-2011 [9731] | Well, if it doesn't have a ticket yet it could use one. |
| Andreas 12-Oct-2011 [9732x5] | Ok. R2's invalid-utf? catches all 2-byte overlong forms, but not all 3 or 4-byte overlong forms. |
#{e080af} is an overlong form for #"/", for example.
| |
R2>> invalid-utf? #{e080af}
R2== none
R3>> invalid-utf? #{e080af}
R3== #{e080af}
| |
Same for the 4-byte overlong sequence #{f08080af}. R3 correctly detects
it as wrong, R2 does not.
| |
So, R3's invalid-utf? seems to flag overlong encodings in general. R2(/Forward)'s invalid-utf? only catches overlong forms for 2-byte sequences, but not for 3- or 4-byte sequences. | |
| BrianH 12-Oct-2011 [9737x3] | Good - we can fix R2's version, but not easily fix R3's. |
Change of subject: Has anyone sent mass emails in R3? I need to send some (legitimately, internally) from data that R3 processed. | |
What about 5 or 6 byte overlong forms? | |
| older newer | first last |