Issues creating instance of SmallInteger

stéphane ducasse ducasse at
Sat May 13 16:53:25 UTC 2006

> The mechanism promoted with Parts (VS) was very interesting
>  and not followed by any other dialect of smalltalk (imho because
>  it's power requires experience in it's use to be observed).
> Parts let power user's customize teh GUI of the product
>  following the constrains emerging from the underlying
>  model of the core system.

Could you explain a bit more. Because this is still really cryptic  
for me :)


> It was better than compilation because parts was loaded/saved
>  in binary mode and do not requires compilation (a really
>  slooow process)
> best;
> Ale.
> ----- Original Message -----
> From: "Philippe Marschall" <philippe.marschall at>
> To: "The general-purpose Squeak developers list"
> <squeak-dev at>
> Sent: Saturday, May 13, 2006 7:20 AM
> Subject: Re: Re: Issues creating instance of SmallInteger
>> For the purpose of generating a SmallInteger (from XML ya know..),  
>> Object
> readFrom:'42' works just fine!
> Do _not_ do that. This is a _huge_ security hole. What it does it
> evalutates the string. This string can be any Smalltalk code. This way
> you have aribrary code execution in Smalltalk.
> An exploit for this would look like this:
> Object readFrom: 'SmalltalkImage current snapshot: false andQuit:  
> true'
> Do
> Number readFrom: aString
> instead. This has its own problems like that
> Number readFrom: 'garbage'
> returns 0 but this will be fixed and at leas it's safe.
> Please not that also Boolean class >> #readFrom: is borken in the same
> way. This is the reason why you can execute arbitrary Smalltalk code
> in every Squeak image that uses SOAP either as client or server.
> Combine that with FFI and X11 root exploits and you have a nightmare.
> Cheers
> Philippe

More information about the Squeak-dev mailing list