 | You're absolutely right about that last. But it isn't clear to me how it
would happen. If the program is running in the foreground then it's
running under the user's privileges; and if it's running in batch under an
ID with production privileges, then it would never be allowed to read from
a test dataset...or rather, if that happens it's a screwup. Besides, who
would write INTERPRET into a production program anyway? I agree it should
be done carefully for production, but that's about the only case where I'd
be concerned about security.
---
Bob Bridges, robertbridges@discoverfinancial.com, 224 405-0811
rhbridg@attglobal.net, 847 520-1684 xt 243
/* Science is a differential equation. Religion is a boundary condition.
-Alan Turing, quoted in J D Barrow's _Theories of Everything_ */
Paul Gilmartin
2005-01-17 07:10
To: TSO-REXX@VM.MARIST.EDU
cc:
Subject: Re: Antwort: Re: [TsoRexx] Calling function with variable name [Virus
checked]
True, but he might not be able to run it with the author's privileges.
tso calc 4+6; delete 'SYS1.LINKLIB'
(not realistic, but the idea is that a system-privileged task shouldn't
INTERPRET a string read from a profile written by a non-privileged user.)
Ted MacNEIL
2005-01-16 18:00
To: TSO-REXX@VM.MARIST.EDU
cc:
Subject: Re: Antwort: Re: [TsoRexx] Calling function with variable name [Virus
checked]
The user could also write a different EXEC with those kind of coding
skills.
/* REXX */
arg op
interpret "SAY" op
exit
The best example of a 'good' use of interpret.
tso %calc 4+6
Paul Gilmartin
2005-01-16 23:58
To: TSO-REXX@VM.MARIST.EDU
cc:
Subject: Re: Calling function with variable name
In this case, the user can specify an arbitrary function; even, unless
the programmer is careful, a list of commands separated by semicolons.
This is giving the user the ability to modify the programmer's code.
--- In a recent note, Karl-Heinz Wittemann said:
> Date: Mon, 17 Jan 2005 06:48:58 +0100
>
> I did a lot of INTERPRET without problem. Why you don't like to use it?
> ---Zitat von Ralph Bremer :
> > what i really want is to be able to call a rexx function
> > which is not known when writing the calling rexx
> > but which the user of that rexx will specify in a configuration file
.....
> >
> > i have it working with interpret but i try to avoid interpret
whenerver
> > possible ....
----------------------------------------------------------------------
For TSO-REXX subscribe / signoff / archive access instructions,
send email to LISTSERV@VM.MARIST.EDU with the message: INFO TSO-REXX
|
|
