UserFunctionality is a security breach!
|
Has anyone notice how easy it would be to circumnavigate Magic menu's and, if applicable, the rights assign to these by replacing the UserFunctionality with your own 'hacking' version? You could easily replace the, let's say Range function, by a function that let's you call ANY program within your application, even if it is in a higher component, by simple doing a 'Call By Exp' with the program number you enter in your replaced Range functionality. If you add a decimal to the program number, like 12.01, you could call program# 12 in the parent component, of 12.02, for program# 12 in the grandparent component. I would therefore recommend to NEVER use this ecf as is but to 'copy' this end user functionality into your own application. I say 'copy' but it's more like a rebuild/retype as you can't copy most of it as they are (complicated) functions in the Main Program. This way you can also change the GUI to match your own application. The down side of this is that every time Magic has a new version you need to check if anything was changed in the UserFunctionality. For instance in V3.2 the form size in pixels was introduced which caused the popup screen of the ColumnFilter not to work anymore. In short: Why aren't all these functions build in like before? Who really needs them to be in an ecf?? I still prefer the old way of doing locate's and range's better on the field directly. MUCH clearer for the end user to use as well. Also this new UserFunctionality doesn't seem to work if you create a temp program with Ctrl+G on a database table. Perhaps we should start a poll on this? Who wants the old functionality back?? Best regards, Harry Kleinsmit. |
|||||
|
|
|||||
|
Second that.
Van: main@magicu-l.groups.io [mailto:main@magicu-l.groups.io]
Namens harry@...
Verzonden: donderdag 16 februari 2017 13:01 Aan: main@magicu-l.groups.io Onderwerp: [magicu-l] UserFunctionality is a security breach!
Has anyone notice how easy it would be to circumnavigate Magic menu's and, if applicable, the rights assign to these by replacing the UserFunctionality with your own 'hacking' version? You could easily replace the, let's say Range function, by a function that let's you call ANY program within your application, even if it is in a higher component, by simple doing a 'Call By Exp' with the program number you enter in your replaced Range functionality. If you add a decimal to the program number, like 12.01, you could call program# 12 in the parent component, of 12.02, for program# 12 in the grandparent component. I would therefore recommend to NEVER use this ecf as is but to 'copy' this end user functionality into your own application. I say 'copy' but it's more like a rebuild/retype as you can't copy most of it as they are (complicated) functions in the Main Program. This way you can also change the GUI to match your own application. The down side of this is that every time Magic has a new version you need to check if anything was changed in the UserFunctionality. For instance in V3.2 the form size in pixels was introduced which caused the popup screen of the ColumnFilter not to work anymore. In short: Why aren't all these functions build in like before? Who really needs them to be in an ecf?? I still prefer the old way of doing locate's and range's better on the field directly. MUCH clearer for the end user to use as well. Also this new UserFunctionality doesn't seem to work if you create a temp program with Ctrl+G on a database table. Perhaps we should start a poll on this? Who wants the old functionality back?? Best regards, Harry Kleinsmit.
|
|||||
|
|
|||||
|
Steven Burrows
While in principle I third it, I think a method of “signing” components so that they cannot be hot swapped would be a solution I would support. Its not JUST UserFunctionality
From: main@magicu-l.groups.io [mailto:main@magicu-l.groups.io]
On Behalf Of Florian Groothuis
Sent: 16 February 2017 12:04 To: main@magicu-l.groups.io Subject: Re: [magicu-l] UserFunctionality is a security breach!
Second that.
Van:
main@magicu-l.groups.io [mailto:main@magicu-l.groups.io]
Namens harry@...
Has anyone notice how easy it would be to circumnavigate Magic menu's and, if applicable, the rights assign to these by replacing the UserFunctionality with your own 'hacking' version? You could easily replace the, let's say Range function, by a function that let's you call ANY program within your application, even if it is in a higher component, by simple doing a 'Call By Exp' with the program number you enter in your replaced Range functionality. If you add a decimal to the program number, like 12.01, you could call program# 12 in the parent component, of 12.02, for program# 12 in the grandparent component. I would therefore recommend to NEVER use this ecf as is but to 'copy' this end user functionality into your own application. I say 'copy' but it's more like a rebuild/retype as you can't copy most of it as they are (complicated) functions in the Main Program. This way you can also change the GUI to match your own application. The down side of this is that every time Magic has a new version you need to check if anything was changed in the UserFunctionality. For instance in V3.2 the form size in pixels was introduced which caused the popup screen of the ColumnFilter not to work anymore. In short: Why aren't all these functions build in like before? Who really needs them to be in an ecf?? I still prefer the old way of doing locate's and range's better on the field directly. MUCH clearer for the end user to use as well. Also this new UserFunctionality doesn't seem to work if you create a temp program with Ctrl+G on a database table. Perhaps we should start a poll on this? Who wants the old functionality back?? Best regards, Harry Kleinsmit.
|
|||||
|
|
|||||
|
I prefer the old functionality.
Erwin |
|||||
|
|
|||||
|
Avgerinos
One vote for old way.
toggle quoted message
Show quoted text
I never use UserFunctionality.ECF, exactly for the reasons mentioned. Avgerinos On 16/2/2017 2:01 μμ, harry@...
wrote:
|
|||||
|
|
|||||
|
Avgerinos
Also one vote for signing components.
toggle quoted message
Show quoted text
Insecurity was the reason external components were rejected by our global IT Avgerinos On 16/2/2017 2:43 μμ, BURROWS Steven
wrote:
|
|||||
|
|
|||||
|
Andy Jerison
Click here to vote in a poll on this issue.
|
|||||
|
|
|||||
|
Pavel Mencl
I believe it was Keith who suggested a while ago that we could ask for both! And you could choose if you want to use the built-in search/locate... by screen or use the component. Regarding the component,apart from the security concerns which I haven't been able to digest yet I've realized that customizing the component is a double-edged sword and I might easily fall on it in the feature.Done it anyway but still feel a bit uneasy about the whole thing. Pavel |
|||||
|
|
|||||
|
Pavel,
I did suggest that a while ago. If I remember correctly, MSE removed the built in user functionality when they stripped the Magic Engine from all built in UI functions. My understanding is that it was a huge effort to maintain this internal UI code when they did upgrades. My guess is that it was a big issue in moving from uniPaas’s code base to XPA (more integrated .net). So the UserFunctionality ecf was born because MSE could write this like we do and the engine would process it like our programs. My guess is that we got a number of internal functions (sort, range, etc) that it needed to function properly since they no longer had the luxury of having it built in so there needed to be a way to tell the engine what it wanted to do. This was good for us.
However IMHO we still needed the old format where it was the “Query by Forms” method, allowing the user’s form to be the input to ranges and locates. This is doable by MSE, but they had other priorities and the UserFunctionality (along with the separate MgxpaSettings.exe program to maintain the settings in the runtime engine.. again eliminating the need for UI functions) allowed the engine to no longer have hard coded UI stuff in it.
We’ll see if it ever comes back.
Keith
From: main@magicu-l.groups.io [mailto:main@magicu-l.groups.io] On Behalf Of Pavel Mencl
Sent: Friday, February 17, 2017 12:59 AM To: main@magicu-l.groups.io Subject: Re: [magicu-l] UserFunctionality is a security breach!
I believe it was Keith who suggested a while ago that we could ask for both! And you could choose if you want to use the built-in search/locate... by screen or use the component. Regarding the component,apart from the security concerns which I haven't been able to digest yet I've realized that customizing the component is a double-edged sword and I might easily fall on it in the feature.Done it anyway but still feel a bit uneasy about the whole thing. Pavel
|
|||||
|
|
|||||
|
Heidi Schuppenhauer
I did exactly that, although not so much because I thought about the security issue. You can make an *amazing* little program if you work at it, combining all those little functions into one cool program and using it in your very own application. Unfortunately I did it on someone else's dime so I can't pass it out.
|
|||||
|
|
|||||
|
Frederik Soete
Hi, I do not know about versions after eDeveloper v. 9 and before XPA3, but the old approach of v. 9 is also not entirely flawless and secure. In the range expression editor of old Magic versions a clever user is able to call functions that should not intentionally be called (other than logical ones such as INSTR). At least with XPA 3 one can override this by writing one's own user functionality programs (not necessarily in a component, but within the main application, if you do not use components). Just my 2 cents. Frederik Soete Op 16 feb. 2017 13:01 schreef <harry@...>:
|
|||||
|
|
