[E-Lang] Bug Report: Scope Handling Inconsistency
Mark S. Miller
markm@caplet.com
Mon, 12 Feb 2001 08:09:27 -0800
At 07:30 AM Monday 2/12/01, Mark S. Miller wrote:
>To repair this, I think we need to add the top level scope as an explicit
>argument to Evaluator's eval message (but not to the "meta eval" syntax).
Oops. This would violate POLA and be a definite security hole. The
Evaluator (the first "argument" in the "meta eval" syntax) is only supposed
to get access to the enclosing scope corresponding to the names used freely
by the expression (the second "argument"), or defined by the expression and
still in scope at the end of the expression. That way, the programmer's
normal intuitions about which variables may be affected by the expression
remain valid, even though the Evaluator is untrusted. If the top level
interactive scope is provided explicitly, the untrusted Evaluator can wreck
havoc outside these variables.
I think the way out is to define a facet on the outer scope that's
restricted to a fixed set of variable names. The list would be generated by
the expansion of the "meta eval" syntax by scope analysis in the way
already described.
Cheers,
--MarkM