Calling code from a memo field

Plateforme Level Extreme

Abonnement

Profil corporatif

Produits & Services

Support

Légal

English

Calling code from a memo field

Message

06/07/2005 14:31:44

Fabio Lunardon
Lunacom
Marostica, Italie

06/07/2005 13:36:25

Bo Durban
Moxie Data, Inc.
Canton, Georgie, États-Unis

Information générale

Forum:

Visual FoxPro

Catégorie:

Codage, syntaxe et commandes

Titre:

Re: Calling code from a memo field

Versions des environnements

Visual FoxPro:

VFP 8 SP1

OS:

Windows XP SP1

Network:

Windows 2000 Server

Database:

Visual FoxPro

Divers

Thread ID:

01029391

Message ID:

01029639

Vues:

>> Doesn't exist any way of copying into a file with exclusive access a
>> Blob/memo and to execute it with a DO command; a small interval time
>> exists where the file is free;
>> a good hacker can
>> - capture the API FCLOSE event
>> - to put to sleep VFP,
>> - to modify it ;
>> to wake up again VFP that performs confident a different thing.
>
>I don't know that there is a good way around this problem. The Blob/Memo is going to be stored in a file too.
>

This is not true if you work with a Backend.

>Maybe you could store a check sum in your script table and compare the check sum before you execute the script. You could also check the file size.
>
>You can open the object file read-only to lock it and the script will still execute. I just tried this and it worked:
>
>

>** create a binary script
>STRTOFILE("MESSAGEBOX('Hello World')","temp.prg")
>COMPILE temp.prg
>cBlob = FILETOSTR("temp.fxp")
>DELETE FILE temp.prg
>DELETE FILE temp.fxp
>
>
>** test our function
>SECURESCRIPT(cBlob)
>
>***********************************
>FUNCTION SECURESCRIPT(cBlob)
>
>cTempFile = ADDBS(SYS(2023))+SYS(2015)+".fxp"
>** copy script to temp file
>nLen = STRTOFILE(cBlob, cTempFile)
>** open file readonly to lock it
>hnd = FOPEN(cTempFile)
>** check the file size to make sure it is OK
>IF FSEEK(hnd,0,2) = nLen
>   ** execute it
>   DO (cTempFile)
>ENDIF
>** cleanup
>FCLOSE(hnd)
>DELETE FILE (cTempFile)
>

This is not sufficient for me:

** create a binary script
STRTOFILE("MESSAGEBOX('Hello World')","temp.prg")
COMPILE temp.prg NODEBUG
cBlob = FILETOSTR("temp.fxp")
DELETE FILE temp.prg
DELETE FILE temp.fxp


** test our function
SECURESCRIPT(cBlob)

***********************************
FUNCTION SECURESCRIPT(cBlob)

cTempFile = ADDBS(SYS(2023))+SYS(2015)+".fxp"
** copy script to temp file
nLen = STRTOFILE(cBlob, cTempFile)
** open file readonly to lock it
hnd = FOPEN(cTempFile)
** check the file size to make sure it is OK

IF FSEEK(hnd,0,2) = nLen
	* simulate a hacker capture
	cRun = 'notepad.exe "'+cTempFile+ '"'
	RUN &cRun
	* If you are a hacker, then you know whether to do with the program of capture
	DO (cTempFile)
ENDIF
** cleanup
FCLOSE(hnd)
DELETE FILE (cTempFile)

This is the least one that guarantees the code (at least to User Privilege of the OS)

** create a binary script
STRTOFILE("MESSAGEBOX('Hello World')","temp.prg")
COMPILE temp.prg
cBlob = FILETOSTR("temp.fxp") && this is not sure, but this is not a problem
DELETE FILE temp.*

** test our function
SECURESCRIPT(cBlob)

***********************************
FUNCTION SECURESCRIPT(cBlob)
* here i can do a CRC64
ON ERROR ? MESSAGE()
cTempFile = ADDBS(SYS(2023))+SYS(2015)+".fxp"

hnd = FCREATE(cTempFile)  && i want exclusive access, with READ

IF FWRITE(hnd,cBlob) = LEN(cBlob) AND FFLUSH(hnd,.T.)
	cRun = 'notepad.exe "'+cTempFile+ '"'
	RUN &cRun
   DO (cTempFile)	&& VFP doesn't see that that ago himself, very amusing
ENDIF
** cleanup
FCLOSE(hnd)		&& here you lose 
DO (cTempFile)	&& now you can access, BUT IT IS FREE
DELETE FILE (cTempFile)

Répondre

Fil

Voir

Click here to load this message in the networking platform