19 Dec 2007

Your security hole is my fun hack, or: computing factorial in DrScheme with a click-powered loop.

posted by Robby Findler

One of the many changes in v4.0 is to close a security hole in DrScheme. Specifically, DrScheme v371 lets the program in the definitions window get a hold of the editor containing said program and manipulate it programmatically. There are lots of bad things one might do with this fact, like circumventing DrScheme’s protections and cause it to crash, or even spontaneously exit.

But, we can do something even more fun. Put the following program into a DrScheme window (in v371) and set the language to the mzscheme/textual language. Change “input” to whatever number you wish to compute the factorial of and then hit the Run button until your program transforms itself into the final result.

(define input10)
(require (lib "mred.ss""mred")(lib "class.ss"))
(let* ([ed(let-syntax ([m(λ (stx)(with-syntax ([x(syntax-source stx)])#'x))])
(m))]
[mth(regexp-match 
#rx"^; ([0-9]+) ([0-9]+)"
(send edget-text0
(send edparagraph-end-position0)))]
[lckd(send edis-locked?)])
(send edbegin-edit-sequence)
(send edlock#f)
(if mth
(let ([n(string->number (list-ref mth1))]
[acc(string->number (list-ref mth2))])
(send eddelete0(send edparagraph-end-position0))
(if (= n1)
(begin (send eddelete0(send edparagraph-end-position0))
(send edinsert(format "~a\n#|"acc)0)
(send edinsert"\n|#"(send edlast-position)))
(begin (send eddelete0(send edparagraph-end-position0))
(send edinsert(format "; ~a ~a"(- n1)(* nacc))00))))
(send edinsert(format "; ~a 1\n"input)0))
(send edlocklckd)
(send edend-edit-sequence))

Some folks would call that a feature!

Griff, 20 December 2007

Oh, indeed! Virus authors consider C’s lack of array bounds checking a feature, no doubt. :)

Robby, 20 December 2007

Made with Frog, a static-blog generator written in Racket.
Source code for this blog.

AltStyle によって変換されたページ (->オリジナル) /