Thank you Raul,
I've updated safe1 and safe2 to prevent arbitrary names that start with aLj...
apply was the problem rather than u: I hope.
safe1 =: '''_0123456789+*-<>|;,#{}()[]'
safe2 =: 'u:';'x:';'}.';'}:';'" ';'":';'! ';'$ ';'= ';'^
';'^.';'a.';'a:';'L.';'L:';'j.';'i.';'i:'
----- Original Message -----
From: Raul Miller <[email protected]>
To: Programming forum <[email protected]>
Cc:
Sent: Wednesday, February 26, 2014 4:05:13 PM
Subject: Re: [Jprogramming] introducing JON alternative to JSON
On Wed, Feb 26, 2014 at 1:45 PM, Pascal Jasmin <[email protected]> wrote:
> My big question though is have I overlooked any potential unsafe code that
> could be run with doSafe?
Yes.
Here's an example:
exploit=: smoutput@3:
doSafe '(u: ',(":u:inv 5!:5 <'exploit'),') apply 0'
3
Of course, there's not too much damage that a person could do with the
number 3, but hopefully the pattern is obvious.
Thanks,
--
Raul
----------------------------------------------------------------------
For information about J forums see http://www.jsoftware.com/forums.htm
----------------------------------------------------------------------
For information about J forums see http://www.jsoftware.com/forums.htm
