Smalltalk Cincom VisualWorks

[vwnc] Turn off code editing feels in runtime

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Runar Jordahl
Reply | Threaded
Open this post in threaded view
|

[vwnc] Turn off code editing feels in runtime

Runar Jordahl
Our application has the VisualWorks "code editing feels" enabled. If,
for example, our users press CTRL-F, "ifFalse:" is entered into input
fields. These shortcuts should of course not be enabled in an
application.

I notice that ParagraphEditor>>initialize sets supportCodeEditingFeels
to true. I wonder if I need to change this, or if there is an better
way to disable these keyboard shortcuts?

Kind regards
Runar
_______________________________________________
vwnc mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/vwnc
Randy Coulman
Reply | Threaded
Open this post in threaded view
|

Re: [vwnc] Turn off code editing feels in runtime

Randy Coulman

On Tue, Nov 4, 2008 at 2:41 AM, Runar Jordahl <[hidden email]> wrote:
Our application has the VisualWorks "code editing feels" enabled. If,
for example, our users press CTRL-F, "ifFalse:" is entered into input
fields. These shortcuts should of course not be enabled in an
application.

I notice that ParagraphEditor>>initialize sets supportCodeEditingFeels
to true. I wonder if I need to change this, or if there is an better
way to disable these keyboard shortcuts?


We ran into this as well.  I get the feeling that the initial value in #initialize was added later, and probably shouldn't have been.  If you look at ParagraphEditor>>supportCodeEditingFeels, it lazily initializes the value to false; however, because the value is set to true in #initialize, the lazy default never applies.  My guess is that someone, somewhere took a shortcut by adding it to initialize.
 
We work around this by sending supportCodeEditingFeels: false wherever we use a ParagraphEditor.

I think that the default value should be changed, because if client code does nothing, it is possible to execute arbitrary code in a text edit widget (using Ctrl-D).

Randy
--
Randy Coulman
[hidden email]

_______________________________________________
vwnc mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/vwnc
Runar Jordahl
Reply | Threaded
Open this post in threaded view
|

Re: [vwnc] Turn off code editing feels in runtime

Runar Jordahl
When running in a terminal server environment (like Citrix), giving
users the ability to execute any code from a trusted client can
introduce a security risk. End users are basically given the ability
to do whatever functions the application code has security access to
do. If the user was restricted to only access the application, the
user can now shape the application to do whatever he wants it to do.

Cincom should definitely fix this issue.

Kind regards
Runar
_______________________________________________
vwnc mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/vwnc
Andre Schnoor
Reply | Threaded
Open this post in threaded view
|

Re: [vwnc] Turn off code editing feels in runtime

Andre Schnoor

Am 05.11.2008 um 10:30 schrieb Runar Jordahl:

> When running in a terminal server environment (like Citrix), giving
> users the ability to execute any code from a trusted client can
> introduce a security risk. End users are basically given the ability
> to do whatever functions the application code has security access to
> do. If the user was restricted to only access the application, the
> user can now shape the application to do whatever he wants it to do.
>
> Cincom should definitely fix this issue.


Absolutely.

This is a nice example of the importance of a clean separation of  
development tools from deployed products, which can be difficult with  
Smalltalk in general.

Instead of tweaking instance vars at runtime that magically hide some  
functionality from the UI only, there should be two subclasses of  
ParagraphEditor, one for development and one for runtime, that ensure  
this separation inherently and safely.

As the text editor needs a major rewrite anyway, this might be an  
opportunity to take care of security considerations too.

Andre

_______________________________________________
vwnc mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/vwnc
Andres Valloud-6
Reply | Threaded
Open this post in threaded view
|

Re: [vwnc] Turn off code editing feels in runtime

Andres Valloud-6
In reply to this post by Randy Coulman
AR 55947...

From: [hidden email] [mailto:[hidden email]] On Behalf Of Randy Coulman
Sent: Tuesday, November 04, 2008 6:53 AM
To: Runar Jordahl
Cc: VW NC
Subject: Re: [vwnc] Turn off code editing feels in runtime


On Tue, Nov 4, 2008 at 2:41 AM, Runar Jordahl <[hidden email]> wrote:
Our application has the VisualWorks "code editing feels" enabled. If,
for example, our users press CTRL-F, "ifFalse:" is entered into input
fields. These shortcuts should of course not be enabled in an
application.

I notice that ParagraphEditor>>initialize sets supportCodeEditingFeels
to true. I wonder if I need to change this, or if there is an better
way to disable these keyboard shortcuts?


We ran into this as well.  I get the feeling that the initial value in #initialize was added later, and probably shouldn't have been.  If you look at ParagraphEditor>>supportCodeEditingFeels, it lazily initializes the value to false; however, because the value is set to true in #initialize, the lazy default never applies.  My guess is that someone, somewhere took a shortcut by adding it to initialize.
 
We work around this by sending supportCodeEditingFeels: false wherever we use a ParagraphEditor.

I think that the default value should be changed, because if client code does nothing, it is possible to execute arbitrary code in a text edit widget (using Ctrl-D).

Randy
--
Randy Coulman
[hidden email]

_______________________________________________
vwnc mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/vwnc
Free forum by Nabble Edit this page