[E-Lang] Bug Report: Scope Handling Inconsistency

Mark S. Miller markm@caplet.com
Mon, 12 Feb 2001 08:09:27 -0800

At 07:30 AM Monday 2/12/01, Mark S. Miller wrote:
>To repair this, I think we need to add the top level scope as an explicit 
>argument to Evaluator's eval message (but not to the "meta eval" syntax).

Oops.  This would violate POLA and be a definite security hole.  The 
Evaluator (the first "argument" in the "meta eval" syntax) is only supposed 
to get access to the enclosing scope corresponding to the names used freely 
by the expression (the second "argument"), or defined by the expression and 
still in scope at the end of the expression.  That way, the programmer's 
normal intuitions about which variables may be affected by the expression 
remain valid, even though the Evaluator is untrusted.  If the top level 
interactive scope is provided explicitly, the untrusted Evaluator can wreck 
havoc outside these variables.

I think the way out is to define a facet on the outer scope that's 
restricted to a fixed set of variable names.  The list would be generated by 
the expansion of the "meta eval" syntax by scope analysis in the way 
already described.