Type | Wish | Status | dismissed | Date | 21-Aug-2009 22:00 |
---|---|---|---|---|---|
Version | alpha 79 | Category | Security | Submitted by | BrianH |
Platform | All | Severity | minor | Priority | high |
Summary | SECURE 'alias setting |
---|---|
Description |
ALIAS has been changed so that ALIAS word! word! doesn't work anymore (#341), but it can still be used to disable REBOL. If you use ALIAS to alias words that have already been defined and used, you can break the existing uses of those words, as shown in #1163, #1164 and #1165 (imagine those done maliciously). However, we can't block ALIAS altogether because it is needed to implement R3's case-preservation of words. I propose that an 'alias setting be added to SECURE, and that ALIAS check that setting, only in the case where the alias differs by spelling, not capitalization. This would allow the case preservation to continue to work, but deny any potentially harmful respellings. This is safer than unsetting or hiding 'alias and having TO use an internal reference, since there would be no danger of references leaking out. This way ALIAS could be safely used in some module to do internationalization, then locked down to prevent denial-of-service. It lets us restore the R2 level of alias security without giving up any flexibility. |
Example code |
alias 'blah "system" |
Assigned to | n/a | Fixed in | - | Last Update | 31-Jan-2011 06:13 |
---|
Comments | |
---|---|
(0001571)
Carl 30-Aug-2009 19:33 |
First, I consider ALIAS breaking existing word definitions a bug (probably in RESOLVE.) This should not happen.
But, that issue aside, I'd prefer to ask: does anyone use ALIAS? If not, I propose dropping it. Why? Because this function is too advanced at the concept level for casual programmers to use well -- because it enables symbolic equivalence, something missing from the functionality of nearly/probably all other languages. So, it becomes problematic, creating more issues than it solves. |
(0003067)
BrianH 31-Jan-2011 06:13 |
As of alpha 111 the ALIAS function has been removed (see #1835) so the security issue this request was meant to solve is no longer an issue. |
Date | User | Field | Action | Change |
---|---|---|---|---|
31-Jan-2011 06:13 | BrianH | Comment : 0003067 | Added | - |
31-Jan-2011 06:11 | BrianH | Status | Modified | waiting => dismissed |
30-Aug-2009 19:34 | carl | Comment : 0001571 | Modified | - |
30-Aug-2009 19:33 | carl | Comment : 0001571 | Added | - |
30-Aug-2009 19:24 | carl | Description | Modified | - |
30-Aug-2009 19:24 | carl | Status | Modified | submitted => waiting |
21-Aug-2009 22:00 | BrianH | Ticket | Added | - |