[Xotcl] NX question

Gustaf Neumann neumann at wu-wien.ac.at
Tue Oct 26 13:20:48 CEST 2010


Hi victor,

also with nx, one can call methods during the object creation,
very similar to "eval":

    # create class
    nx::Class create Foo {
      :public method bar {} {return 1}
      :public method baz {} {return 2}
    }

    # create object
    Foo create f1 { :bar; :baz; :destroy }

Calling methods during creation is very common, and happens
as well in the example above during the creation of the 
class Foo.

The example above can be written as well more compact via

     # create new class and object and cleanup everything
     nx::Class new {
       :public method bar {} {return 1}
       :public method baz {} {return 2}
       :create new { :bar; :baz; :destroy }
       :destroy
     }

In this example, the class is created with new, during
initialization, the methods "bar" and "baz" are created,
then an instance of the class is created (and calls
"bar" and "baz", and destroys itself), and finally the
class is deleted. If you want to run theses examples,
please update from git).

The problem with the dash ("-") commands is that they support
variable number of arguments. Unless one puts dash-commands
into a list (which is not usually done), and e.g. a variable 
v has
the content "-foo", an invocation "... create f1 -x $v -y 1" 
will try
to call a method foo. The security problem comes in, when
one has untrusted variable contents (e.g. provided via web).
It is certainly possible (and recommended) to validate 
untrusted
content, or to use the list notation "... create f1 [list -x 
$v] -y 1"
but in practice, this is often not done (by oversight, 
non-awareness,
laziness, ...)

Finally, the standard xotcl answer: eveything can be configured.
Since nsf supports XOTcl 2.0 (and both, nx and xotcl2
are fully scripted), it is certainly possible to reconfigure nx
to get the good old dash-processing again to your scripts.

-gustaf neumann

On 26.10.10 06:36, Victor Mayevski wrote:
> Hello Gustaf,
>
> I have been playing with NX, so far I really like it, the speed, the clean interface, everything is very nice. One thing I miss though, which I have been using often in XOTcl, is invocation of methods during object creation. Example "MyClass create myobject -dowork1 -dowork2 -finalize -destroy". I know that you mentioned in the git log somewhere that this was security concern and NX will not have this capability. However, you did say that this can be scripted in. Can you give an example of how to do it? Is it really such a security issue?
>
> Thanks
>



More information about the Xotcl mailing list