Ticket #0001212

Type	Wish	Status	dismissed	Date	21-Aug-2009 22:00
Version	alpha 79	Category	Security	Submitted by	BrianH
Platform	All	Severity	minor	Priority	high

Summary	SECURE 'alias setting
Description	ALIAS has been changed so that ALIAS word! word! doesn't work anymore (#341), but it can still be used to disable REBOL. If you use ALIAS to alias words that have already been defined and used, you can break the existing uses of those words, as shown in #1163, #1164 and #1165 (imagine those done maliciously). However, we can't block ALIAS altogether because it is needed to implement R3's case-preservation of words. I propose that an 'alias setting be added to SECURE, and that ALIAS check that setting, only in the case where the alias differs by spelling, not capitalization. This would allow the case preservation to continue to work, but deny any potentially harmful respellings. This is safer than unsetting or hiding 'alias and having TO use an internal reference, since there would be no danger of references leaking out. This way ALIAS could be safely used in some module to do internationalization, then locked down to prevent denial-of-service. It lets us restore the R2 level of alias security without giving up any flexibility.
Example code	alias 'blah "system"

Assigned to	n/a	Fixed in	-	Last Update	31-Jan-2011 06:13

Comments
(0001571) Carl 30-Aug-2009 19:33	First, I consider ALIAS breaking existing word definitions a bug (probably in RESOLVE.) This should not happen. But, that issue aside, I'd prefer to ask: does anyone use ALIAS? If not, I propose dropping it. Why? Because this function is too advanced at the concept level for casual programmers to use well -- because it enables symbolic equivalence, something missing from the functionality of nearly/probably all other languages. So, it becomes problematic, creating more issues than it solves.
(0003067) BrianH 31-Jan-2011 06:13	As of alpha 111 the ALIAS function has been removed (see #1835) so the security issue this request was meant to solve is no longer an issue.

Comments

(0001571)
Carl
30-Aug-2009 19:33

First, I consider ALIAS breaking existing word definitions a bug (probably in RESOLVE.) This should not happen.

But, that issue aside, I'd prefer to ask: does anyone use ALIAS?

If not, I propose dropping it.

Why? Because this function is too advanced at the concept level for casual programmers to use well -- because it enables symbolic equivalence, something missing from the functionality of nearly/probably all other languages. So, it becomes problematic, creating more issues than it solves.

(0003067)
BrianH
31-Jan-2011 06:13

As of alpha 111 the ALIAS function has been removed (see #1835) so the security issue this request was meant to solve is no longer an issue.

Date	User	Field	Action	Change
31-Jan-2011 06:13	BrianH	Comment : 0003067	Added	-
31-Jan-2011 06:11	BrianH	Status	Modified	waiting => dismissed
30-Aug-2009 19:34	carl	Comment : 0001571	Modified	-
30-Aug-2009 19:33	carl	Comment : 0001571	Added	-
30-Aug-2009 19:24	carl	Description	Modified	-
30-Aug-2009 19:24	carl	Status	Modified	submitted => waiting
21-Aug-2009 22:00	BrianH	Ticket	Added	-