No registered users in community xowiki
in last 10 minutes
in last 10 minutes
Re: [Xotcl] NX question
From: Victor Mayevski <vitick_at_gmail.com>
Date: Tue, 26 Oct 2010 13:37:03 -0700 (PDT)
Thank you Gustaf, that makes sense. I have also found that I can still do attribute settings the old - "dash" way, so, most of my code should be fine.
----- Original Message -----
From: "Gustaf Neumann" <neumann_at_wu-wien.ac.at>
To: "Victor Mayevski" <vitick_at_gmail.com>
Cc: xotcl_at_alice.wu-wien.ac.at
Sent: Tuesday, October 26, 2010 4:20:48 AM GMT -08:00 US/Canada Pacific
Subject: Re: NX question
Hi victor,
also with nx, one can call methods during the object creation,
very similar to "eval":
# create class
nx::Class create Foo {
:public method bar {} {return 1}
:public method baz {} {return 2}
}
# create object
Foo create f1 { :bar; :baz; :destroy }
Calling methods during creation is very common, and happens
as well in the example above during the creation of the
class Foo.
The example above can be written as well more compact via
# create new class and object and cleanup everything
nx::Class new {
:public method bar {} {return 1}
:public method baz {} {return 2}
:create new { :bar; :baz; :destroy }
:destroy
}
In this example, the class is created with new, during
initialization, the methods "bar" and "baz" are created,
then an instance of the class is created (and calls
"bar" and "baz", and destroys itself), and finally the
class is deleted. If you want to run theses examples,
please update from git).
The problem with the dash ("-") commands is that they support
variable number of arguments. Unless one puts dash-commands
into a list (which is not usually done), and e.g. a variable
v has
the content "-foo", an invocation "... create f1 -x $v -y 1"
will try
to call a method foo. The security problem comes in, when
one has untrusted variable contents (e.g. provided via web).
It is certainly possible (and recommended) to validate
untrusted
content, or to use the list notation "... create f1 [list -x
$v] -y 1"
but in practice, this is often not done (by oversight,
non-awareness,
laziness, ...)
Finally, the standard xotcl answer: eveything can be configured.
Since nsf supports XOTcl 2.0 (and both, nx and xotcl2
are fully scripted), it is certainly possible to reconfigure nx
to get the good old dash-processing again to your scripts.
-gustaf neumann
On 26.10.10 06:36, Victor Mayevski wrote:
> Hello Gustaf,
>
> I have been playing with NX, so far I really like it, the speed, the clean interface, everything is very nice. One thing I miss though, which I have been using often in XOTcl, is invocation of methods during object creation. Example "MyClass create myobject -dowork1 -dowork2 -finalize -destroy". I know that you mentioned in the git log somewhere that this was security concern and NX will not have this capability. However, you did say that this can be scripted in. Can you give an example of how to do it? Is it really such a security issue?
>
> Thanks
>
Date: Tue, 26 Oct 2010 13:37:03 -0700 (PDT)
Thank you Gustaf, that makes sense. I have also found that I can still do attribute settings the old - "dash" way, so, most of my code should be fine.
----- Original Message -----
From: "Gustaf Neumann" <neumann_at_wu-wien.ac.at>
To: "Victor Mayevski" <vitick_at_gmail.com>
Cc: xotcl_at_alice.wu-wien.ac.at
Sent: Tuesday, October 26, 2010 4:20:48 AM GMT -08:00 US/Canada Pacific
Subject: Re: NX question
Hi victor,
also with nx, one can call methods during the object creation,
very similar to "eval":
# create class
nx::Class create Foo {
:public method bar {} {return 1}
:public method baz {} {return 2}
}
# create object
Foo create f1 { :bar; :baz; :destroy }
Calling methods during creation is very common, and happens
as well in the example above during the creation of the
class Foo.
The example above can be written as well more compact via
# create new class and object and cleanup everything
nx::Class new {
:public method bar {} {return 1}
:public method baz {} {return 2}
:create new { :bar; :baz; :destroy }
:destroy
}
In this example, the class is created with new, during
initialization, the methods "bar" and "baz" are created,
then an instance of the class is created (and calls
"bar" and "baz", and destroys itself), and finally the
class is deleted. If you want to run theses examples,
please update from git).
The problem with the dash ("-") commands is that they support
variable number of arguments. Unless one puts dash-commands
into a list (which is not usually done), and e.g. a variable
v has
the content "-foo", an invocation "... create f1 -x $v -y 1"
will try
to call a method foo. The security problem comes in, when
one has untrusted variable contents (e.g. provided via web).
It is certainly possible (and recommended) to validate
untrusted
content, or to use the list notation "... create f1 [list -x
$v] -y 1"
but in practice, this is often not done (by oversight,
non-awareness,
laziness, ...)
Finally, the standard xotcl answer: eveything can be configured.
Since nsf supports XOTcl 2.0 (and both, nx and xotcl2
are fully scripted), it is certainly possible to reconfigure nx
to get the good old dash-processing again to your scripts.
-gustaf neumann
On 26.10.10 06:36, Victor Mayevski wrote:
> Hello Gustaf,
>
> I have been playing with NX, so far I really like it, the speed, the clean interface, everything is very nice. One thing I miss though, which I have been using often in XOTcl, is invocation of methods during object creation. Example "MyClass create myobject -dowork1 -dowork2 -finalize -destroy". I know that you mentioned in the git log somewhere that this was security concern and NX will not have this capability. However, you did say that this can be scripted in. Can you give an example of how to do it? Is it really such a security issue?
>
> Thanks
>