Livecode Server and DO

[jihem]

Hi
Is there a bug or a limitation on LivecodeServer (Linux) ?
"do" does nothing on Linux (but works on Windows and OSX).
I had to remake everything using "call"... and use global variables to return the results... :-/
Regards,
jihem

---
Livecode 7.0.1 Ubuntu 14.04 LTS 64bits

[rabit]

The do command doesn't work outside of handler context since server version 7.
For security reasons I see it either as a fixed bug or as a feature missing
in prior server versions.

Ralf

[jihem]

"call" is still working so what's about "security reasons"... ?
We can't handle socket to make server in LiveCode server because "security reasons", now we can't use "do"...
PHP, Ruby, Perl, Python users can do this without any trouble...
Are we more stupid that we need somebody to restrict our usage ?
I don't think so.

Thanks for the answer and sorry for the noise... I'm a bit disapointed.
If it goes this way I will have half part of my scripts using shell to call external commands to get the job done : send an email, get https content, launch node js server... This is boring. I would like to use LiveCode and LiveCode server to do everything everywhere.

[FourthWorld]

Ralf, where is that documented?

It may be worth revisiting that policy. First, as jihem noted, as long as we have "value" and "call" not having "do" is simply arbitrary and not a solution to the security risk.

Moreover, all three of those are very useful, and risks of using them can be mitigated with no more difficulty than developers are already accustomed to with other potential injection risks. All three should be used sparingly and with great care, but it should be our choice.

I have a server framework in which commands are send to the server as one of the POST args, and on the server the command arg is checked against a list of acceptable commands. Only those commands on the list are allowed; any other string throws an error back to the client. For each of the acceptable commands I have a handler that processes it after sanitizing any other inputs, so any injection attempt is caught and accounted for.

Fortunately, long ago I got into the habit of using Linux standalones for my CGIs, and apparently this isn't an issue in my systems since I've migrated some of them to v7 and they still work well. I had originally started down that road back before LC Server allowed stack libraries, and stayed with it since just because it was working well and doesn't need to be rewritten just to accommodate the Server engine. Now that this issue has surfaced, it looks like I'll be staying with standalones on server, unable to consider using the Server engine itself as long as this limitation remains.

How does your framework handle requests developers define for themselves without "do"?

[rabit]

Richard, I don't think this is documented anywhere besides at
the QCC, see bug 13514.

I found this change in LiveCode server 7 while checking revIgniter
issues in version 7 and reported it as a bug.
revIgniter versions prior to 1.6.14 yield a server crash using server 7
due to this change.

revIgniter used the do command to call it's controllers and to call the
handlers included with the controllers. Seems scary but revIgniter
checks the existence of the controller file and then it checks the URI
segments against the handler list corresponding to the controller before
outputting anything. In case the check fails a 404 error is sent.

Since revIgniter 1.6.14 the 4 do commands are replaced with a call to
a simple handler which consists of nothing more than a do command.


Ralf

[FourthWorld]

Thanks for the bug report number, Ralf. That item has been marked as a duplicate of another item still open, which is here:
http://quality.runrev.com/show_bug.cgi?id=11277

Fortunately this seems to be merely a bug rather than a design decision. Let's hope that remains so as it gets addressed.

[Ralf Bitter]

By the way, meanwhile the variablenames function can be used
outside of handler context again. This applies at least to the latest
server version.