topten Posted March 23, 2015 Share Posted March 23, 2015 I am experimenting with Execute function. This way- works fine for me $a = "fileread" $f = Execute ('fileread ("test.txt")') ConsoleWrite ($f) But if I replace fileread with variable $a then it wont work $a = "fileread" $f = Execute ('$a ("test.txt")') ConsoleWrite ($f) Is there a way to make it work from var? Great thanx in advance! Link to comment Share on other sites More sharing options...
Malkey Posted March 23, 2015 Share Posted March 23, 2015 This appears to work. $a = "fileread" $f = Execute($a & '("test.txt")') ConsoleWrite($f) Link to comment Share on other sites More sharing options...
topten Posted March 23, 2015 Author Share Posted March 23, 2015 Ah great, thank you so much ! Link to comment Share on other sites More sharing options...
JohnOne Posted March 23, 2015 Share Posted March 23, 2015 I tell you what would be ace, a way to run dynamically created code within the current process. Pseudo $str = "For $i = 0 To 10" & @CRLF $str &= " ConsoleWrite($i & @LF)" & @CRLF $str &= "Next" Execute($str) AutoIt Absolute Beginners Require a serial Pause Script Video Tutorials by Morthawt ipify Monkey's are, like, natures humans. Link to comment Share on other sites More sharing options...
mikell Posted March 23, 2015 Share Posted March 23, 2015 Great One might even give this a special name - i.e. "function" would be a pretty one Link to comment Share on other sites More sharing options...
JohnOne Posted March 23, 2015 Share Posted March 23, 2015 Great One might even give this a special name - i.e. "function" would be a pretty one Not so sure, a function is already defined you see. AutoIt Absolute Beginners Require a serial Pause Script Video Tutorials by Morthawt ipify Monkey's are, like, natures humans. Link to comment Share on other sites More sharing options...
mpower Posted March 23, 2015 Share Posted March 23, 2015 Not so sure, a function is already defined you see. I think that such a feature would open up a massive security vulnerability within any application written with this type of function. What you're talking about is some kind of simulator or with a lot more complexity a more-or-less rudimentary compiler. Link to comment Share on other sites More sharing options...
JohnOne Posted March 23, 2015 Share Posted March 23, 2015 Not really, There is already close to this functionality in /AutoItExecuteScript. You can dynamically create script and run it, just not from string. I don't think running code from a string poses any more a security vulnerability than running script from file. AutoIt Absolute Beginners Require a serial Pause Script Video Tutorials by Morthawt ipify Monkey's are, like, natures humans. Link to comment Share on other sites More sharing options...
mpower Posted March 24, 2015 Share Posted March 24, 2015 Not really, There is already close to this functionality in /AutoItExecuteScript. You can dynamically create script and run it, just not from string. I don't think running code from a string poses any more a security vulnerability than running script from file. Agree or not, with a function like Execute($string) where $string can be any code you're opening up your software to huge security vulnerability. Such a function would need some form of validation of $string for security purposes, to remove any potentially malicious code, but of course there is a high chance of the sanitation process completely breaking the code in $string. Whilst it sounds like a good idea, its absolutely not. We already have programs that do just that - execute code from strings - e.g. SciTe, but its a purpose written application that serves as a code editor. Unless you're writing some custom code that only your app can read and it interprets the special language into AutoIt functionality, Execute($string) is a pretty bad idea. But that's my 2c, who knows maybe I'm completely wrong, I just don't see how it would NOT be a huge security vulnerability. Link to comment Share on other sites More sharing options...
JohnOne Posted March 24, 2015 Share Posted March 24, 2015 Out of curiosity (because I'm not locked in to my opinion that there are no more security concerns), what is your reasoning that there are any security vulnerabilities with such functionality? My reasoning is this. $str = "For $i = 0 To 10" & @CRLF $str &= " ConsoleWrite($i & @LF)" & @CRLF $str &= "Next" FileWrite("dynamic.au3", $str) Run(@AutoItExe & ' /AutoIt3ExecuteScript dynamic.au3') Would be the same as the psuedo $str = "For $i = 0 To 10" & @CRLF $str &= " ConsoleWrite($i & @LF)" & @CRLF $str &= "Next" Execute($str) If it were possible, and I wanted to run malicious code. I only see a gain, in that no temp file is needed, and any code return values could be useful in the running script. AutoIt Absolute Beginners Require a serial Pause Script Video Tutorials by Morthawt ipify Monkey's are, like, natures humans. Link to comment Share on other sites More sharing options...
SadBunny Posted March 24, 2015 Share Posted March 24, 2015 (edited) Well, executing unknown code is by definition a major security hole and one should never allow a user to input code and run that without SERIOUS safeguards. Not even if the dev himself is the only one inputting code. Copypaste is just too damn dangerous. Having said that, it's very well possible anyway with the execute function, TS is just doing it wrong First: $a = "fileread" $f = Execute ('$a ("test.txt")') ... will literally try to run the command $a ("test.txt"). "$a" is not a command. This is a command: $a = "fileread" $f = Execute ($a & '("test.txt")') That will work fine, as long as test.txt is readable. If it doesn't, see if "test.txt" is in the working directory and/or supply a full path. Again, I implore you in the strongest possible terms (I learned that from Tom Lennox in 24) to NOT allow any script to blindly execute code that you cannot predict, like code from an external file or -even worse- from user input. Even if you as the dev yourself will be the only one ever using it. Murphy says it's guaranteed to bite you in the ass at some point in the future, and in the worst way possible. But you can, easily Edited March 24, 2015 by SadBunny Roses are FF0000, violets are 0000FF... All my base are belong to you. Link to comment Share on other sites More sharing options...
JohnOne Posted March 24, 2015 Share Posted March 24, 2015 My point is, it is already possible to do that, as I showed above, so whether Execute() and or /AutoIt3ExecuteScript are security risks or not, no extra security risks would be introduced. AutoIt Absolute Beginners Require a serial Pause Script Video Tutorials by Morthawt ipify Monkey's are, like, natures humans. Link to comment Share on other sites More sharing options...
SadBunny Posted March 24, 2015 Share Posted March 24, 2015 My point is, it is already possible to do that, as I showed above, so whether Execute() and or /AutoIt3ExecuteScript are security risks or not, no extra security risks would be introduced. I guess I'm missing something... You seemed to think that it wasn't possible to run code from a string/variable and wrote pseudocode. I showed it is possible. You asked what extra security risks would be introduced, I showed that they're already there What did I miss? Roses are FF0000, violets are 0000FF... All my base are belong to you. Link to comment Share on other sites More sharing options...
SadBunny Posted March 24, 2015 Share Posted March 24, 2015 Oh wait, your pseudocode doesn't run like that indeed. I get it now. I focused on TS's code, which didn't run correctly for another reason than the reason why yours isn't working My apologies for the misunderstanding. Anyway, TS can actually run the generated code he wants to run if he formulates that string correctly. Roses are FF0000, violets are 0000FF... All my base are belong to you. Link to comment Share on other sites More sharing options...
JohnOne Posted March 24, 2015 Share Posted March 24, 2015 I'm a bit confused as to what you mean by "TS" AutoIt Absolute Beginners Require a serial Pause Script Video Tutorials by Morthawt ipify Monkey's are, like, natures humans. Link to comment Share on other sites More sharing options...
SadBunny Posted March 24, 2015 Share Posted March 24, 2015 TS? Topic starter. Normal abbreviation on every other forum I frequent Maybe it's a Dutch thing. Roses are FF0000, violets are 0000FF... All my base are belong to you. Link to comment Share on other sites More sharing options...
JohnOne Posted March 24, 2015 Share Posted March 24, 2015 Ah! Then here, usually "TS" == "OP" (original poster) AutoIt Absolute Beginners Require a serial Pause Script Video Tutorials by Morthawt ipify Monkey's are, like, natures humans. Link to comment Share on other sites More sharing options...
SadBunny Posted March 24, 2015 Share Posted March 24, 2015 Ah, right, I know that one too. Though it's sometimes used for "Original Post", like "as noted in the OP by TS" Roses are FF0000, violets are 0000FF... All my base are belong to you. Link to comment Share on other sites More sharing options...
JohnOne Posted March 24, 2015 Share Posted March 24, 2015 So to be a little clearer, I think Multi line Execute would be a fabulous addition to the AutoIt arsenal. AutoIt Absolute Beginners Require a serial Pause Script Video Tutorials by Morthawt ipify Monkey's are, like, natures humans. Link to comment Share on other sites More sharing options...
jguinch Posted March 24, 2015 Share Posted March 24, 2015 I agree with you J1. such a function would be great! Spoiler Network configuration UDF, _DirGetSizeByExtension, _UninstallList Firefox ConfigurationArray multi-dimensions, Printer Management UDF Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now