For stem assignments in a subroutine I prefer to use the STEMPUSH / STEMPULL routines available from CBT. I forget the CBT file number, but you can look it up there.
Of course a vendor can't count on those CBT routines being available at a customer site, but for in-company solutions they work flawlessly. WRT the original question, I would think the only real exposure is if the program using interpret could be seen / used by an external or internal hacker to try to accomplish a privilege elevation, though I can't think of a practical way for them to do that. My mind just doesn't bend like that. Peter -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Martin Packer Sent: Monday, September 13, 2021 10:16 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: REXX - Interpret or Value - Which is better? My main use case for interpret is passing back a string with stem variable assignments from a procedure. Then the caller of the procedure interprets the string - which has semicolons to separate the assignment statements. I don't much like it but it seems the best I can do. Martin Packer From: "ITschak Mugzach" <imugz...@gmail.com> To: IBM-MAIN@LISTSERV.UA.EDU Date: 13/09/2021 14:43 Subject: [EXTERNAL] Re: REXX - Interpret or Value - Which is better? Sent by: "IBM Mainframe Discussion List" <IBM-MAIN@LISTSERV.UA.EDU> Why hijack? Right your own code. Anyway, it runs under your user… We switched some of interpret commands to value since the sending field was larger than 256 bytes. Value don’t care. ITschak בתאריך יום ב׳, 13 בספט׳ 2021 ב-16:35 מאת Gary Freestone <maz...@iinet.net.au >: > A few years back I switched from INTERPRET to VALUE due to concerns I had > from a security perspective. > > Value only performs an evaluation and assigns it to a variable. Interpret > lets you do any thing. > > Say for example in your sample code. If I could hijack you code and > adding a single line to the REXX I could issue a JES2 command. The line is > > def=';x=isfcalls(on);address sdsf "isfexec /$DI";istr="DEF";say "DEF" ' > > Sure this case its just a harmless $DI but it could be anything. The only > difference in the output is an example blank line. > > That’s why I’ve switched. > > Gary Freestone > Kyndryl Australia > > > Sent from Mail for Windows > > From: Lionel B. Dyck > Sent: Monday, 13 September 2021 9:45 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: REXX - Interpret or Value - Which is better? > > From a programming standpoint which is (a) more efficient, and (b) easier > to > understand - Interpret or Value. > > Examples: > > /* rexx */ > /* setup our defaults to start with */ > istr = 'abc' > vstr = istr > > /* value examples */ > newvar = value(vstr,'def') > say newvar > say vstr value(vstr) > newvar = value(vstr''1,'second') > say newvar > say vstr''1 value(vstr''1) > > /* interpret examples */ > interpret 'istr = def' > interpret 'say' istr 'istr' > interpret 'istr'1 '= second' > interpret 'say' istr''1 'istr'1 > > The main differences that I can see is that with interpret the new values > are uppercase, and with value the return contains the new variable name. > -- This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN