On 13 mai 06, at 12:20, Philippe Marschall wrote:

>> For the purpose of generating a SmallInteger (from XML ya know..),  
>> Object readFrom:'42' works just fine!
>
> Do _not_ do that. This is a _huge_ security hole. What it does it
> evalutates the string. This string can be any Smalltalk code. This way
> you have aribrary code execution in Smalltalk.
>
> An exploit for this would look like this:
> Object readFrom: 'SmalltalkImage current snapshot: false andQuit:  
> true'

True!!!! Argh!
The problem is that it forces you to save in the file also the type  
of your field (except if we would use
magritte :) but this is for a later version.

> Do
> Number readFrom: aString
> instead. This has its own problems like that
> Number readFrom: 'garbage'
> returns 0 but this will be fixed and at leas it's safe.
>
> Please not that also Boolean class >> #readFrom: is borken in the same
> way. This is the reason why you can execute arbitrary Smalltalk code
> in every Squeak image that uses SOAP either as client or server.
> Combine that with FFI and X11 root exploits and you have a nightmare.


Philippe do you have fix?
You know me :)

Stef


>
> Cheers
> Philippe
>
>