Forum OpenACS Development: Re: a predefined variable like argv0, except for calling proc?

Collapse
9: Re: a predefined variable like argv0, except for calling proc? (response to 8)
Posted by Benjamin Brink on 05/27/16 01:05 AM
ps.

An immediate thought is that it could be rendered useless with "info vars", but AFAICT that requires executing inside one of the procs that has the variable defined..

Collapse
10: Re: a predefined variable like argv0, except for calling proc? (response to 9)
Posted by Gustaf Neumann on 05/27/16 11:53 AM
"info vars" returns the variables from the current context. With the right upvar, or with a specified namespace prefix one can get information about variables in different contexts.

The questions is, whether you want to protect against incorrect usage or against intruders. If your system has already an intruder, that can execute Tcl code, you are in a bad shape, since every proc/cmd you define for protection can be reprogrammed on the fly to behave differently, functions can be renamed, variables can be altered, etc. Also all of the Tcl builtins can be altered. For untrusted code, the most promising approach for Tcl is to work with safe slave interpreters [1], which provide a limited environment, containing just a subset of the commands. However, don't expect that much of OpenACS will run there.

So, it is primarily important to protect against intruders. Over there last weeks i have done some work with open source and commercial vulnerability scanners on openacs (some people might have observed some reboots and worse response times as usual of openacs.org). As a result, i have already submitted a series of security updates, and more will come.

all the best
-g
[1] http://www.tcl.tk/man/tcl8.5/TclCmd/interp.htm

Collapse
11: Re: a predefined variable like argv0, except for calling proc? (response to 10)
Posted by Benjamin Brink on 05/27/16 08:43 PM
LOL, so hiding a variable is a feeble way to protect against intruders --if an attacker has access to code. That's acceptable. It's been a fun exercise. I've learned a lot from it. It was intended to only protect against "incorrect usage" ie calls outside of the UI/api. The ecommerce package avoided this issue by using monolithic code blocks via connections only --difficult to debug or revise.

I'm so glad that security audits continue so proactively. This is so important for maintaining successful app frameworks --including open source ones-- and especially for a time-tested, mature one like OpenACS. Thank you.

I might try Next Scripting next year --or when it comes time to re-factor completed apps. After learning some polymorphism/object oriented principles, I am re-factoring code under development --cutting line count in half while producing cleaner, more legible code.

cheers,
Ben