merge()

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

merge()

Niggemann, Bernd via use-livecode
I just had a thought while pondering some code from another thread.  I have
done things like put merge("This is a random number: [[random(tNum)]]")

Since merge can do what do can, is there a way this method could be taken
advantage of using an injection type of attack?   I'm thinking the answer
is no, (and I haven't managed to find a way to inject yet,) other than
allowing a user to build the whole merge string themselves (which would be
a "bad thing to do" (c))

Am I wrong?  Is it safe as long as I don't do anything careless?
_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: merge()

Niggemann, Bernd via use-livecode
I think that as long as you control the string that is passed to merge you
should be fine.  But if the user were able to directly influence the string
that is passed to merge, then they certainly could inject something.

put the text of field 1 into tMerge
put merge(tMerge) into tDangerousUse
put merge("Field 1 contains: [[tMerge]]") into tSafeUse

So, I think your assumption is correct.

On Fri, Jun 15, 2018 at 8:06 PM, Mike Bonner via use-livecode <
[hidden email]> wrote:

> I just had a thought while pondering some code from another thread.  I have
> done things like put merge("This is a random number: [[random(tNum)]]")
>
> Since merge can do what do can, is there a way this method could be taken
> advantage of using an injection type of attack?   I'm thinking the answer
> is no, (and I haven't managed to find a way to inject yet,) other than
> allowing a user to build the whole merge string themselves (which would be
> a "bad thing to do" (c))
>
> Am I wrong?  Is it safe as long as I don't do anything careless?
> _______________________________________________
> use-livecode mailing list
> [hidden email]
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>
_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: merge()

Niggemann, Bernd via use-livecode
Cool, thanks!

On Fri, Jun 15, 2018 at 7:58 PM Brian Milby <[hidden email]> wrote:

> I think that as long as you control the string that is passed to merge you
> should be fine.  But if the user were able to directly influence the string
> that is passed to merge, then they certainly could inject something.
>
> put the text of field 1 into tMerge
> put merge(tMerge) into tDangerousUse
> put merge("Field 1 contains: [[tMerge]]") into tSafeUse
>
> So, I think your assumption is correct.
>
> On Fri, Jun 15, 2018 at 8:06 PM, Mike Bonner via use-livecode <
> [hidden email]> wrote:
>
>> I just had a thought while pondering some code from another thread.  I
>> have
>> done things like put merge("This is a random number: [[random(tNum)]]")
>>
>> Since merge can do what do can, is there a way this method could be taken
>> advantage of using an injection type of attack?   I'm thinking the answer
>> is no, (and I haven't managed to find a way to inject yet,) other than
>> allowing a user to build the whole merge string themselves (which would be
>> a "bad thing to do" (c))
>>
>> Am I wrong?  Is it safe as long as I don't do anything careless?
>> _______________________________________________
>> use-livecode mailing list
>> [hidden email]
>> Please visit this url to subscribe, unsubscribe and manage your
>> subscription preferences:
>> http://lists.runrev.com/mailman/listinfo/use-livecode
>>
>
>
_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode