| Type | Bug | Status | submitted | Date | 23-Jan-2013 02:37 |
|---|---|---|---|---|---|
| Version | alpha 108 | Category | Syntax | Submitted by | BrianH |
| Platform | All | Severity | minor | Priority | high |
| Summary | Length-specified script embedding doesn't work |
|---|---|
| Description |
Carl requested that I add length-specified script embedding for the 2.100.108 release. The sys/load-header function supports this, but some higher-up functions still have some bugs that prevent this from working for DO, IMPORT and LOAD. Fortunately, this is a simple fix (after a lot of analysis which I've already done). This is a particularly nasty bug since script checksums work properly with the length header, but regular LOAD, IMPORT and DO don't. This makes it quite easy to bypass the module import checksum protections by adding malicious code after the specified length. See the example code for expected behavior. |
| Example code |
; Expected behavior
>> load {rebol [length: 14] print "hello" other stuff}
== [print "hello"]
>> do {rebol [length: 14] print "hello" other stuff}
hello
>> words-of import {rebol [length: 5] a: 1 b: 2}
== [a]
>> checksum/secure to-binary { print "nice code"}
== #{8C6B1F285BFF4C7FD6A5232F41D082EE303D2E19}
>> load {rebol [length: 18 checksum: #{8C6B1F285BFF4C7FD6A5232F41D082EE303D2E19}] print "nice code" evil code}
== [print "nice code"]
>> import/check {rebol [length: 18 checksum: #{8C6B1F285BFF4C7FD6A5232F41D082EE303D2E19}] print "nice code" print "evil code"} checksum/secure to-binary { print "nice code"}
nice code
; Current behavior
>> load {rebol [length: 14] print "hello" other stuff}
== [print "hello" other stuff]
>> do {rebol [length: 14] print "hello" other stuff}
hello
** Script error: other has no value
** Where: catch either -apply- do
** Near: catch/quit either var [[do/next data var]] [data]
>> words-of import {rebol [length: 5] a: 1 b: 2}
== [a b]
>> checksum/secure to-binary { print "nice code"}
== #{8C6B1F285BFF4C7FD6A5232F41D082EE303D2E19}
>> load {rebol [length: 18 checksum: #{8C6B1F285BFF4C7FD6A5232F41D082EE303D2E19}] print "nice code" evil code}
== [print "nice code" evil code]
>> import/check {rebol [length: 18 checksum: #{8C6B1F285BFF4C7FD6A5232F41D082EE303D2E19}] print "nice code" print "evil code"} checksum/secure to-binary { print "nice code"}
nice code
evil code
|
| Assigned to | n/a | Fixed in | - | Last Update | 23-Jan-2013 04:06 |
|---|
| Date | User | Field | Action | Change |
|---|---|---|---|---|
| 23-Jan-2013 04:06 | BrianH | Description | Modified | - |
| 23-Jan-2013 04:06 | BrianH | Code | Modified | - |
| 23-Jan-2013 04:06 | BrianH | Priority | Modified | normal => high |
| 23-Jan-2013 02:37 | BrianH | Ticket | Added | - |