I'm doing my taxes and i have to evaluate strings like "4,54"
resulting in a number of cents.
A do a precaution, I want that numbers are only recognized
after ONLY, i.e. in the minimum search order, to prevent
executing of arbitrary strings, such
" ""rm *"" SYSTEM ".

So I begin the dotaxes word

: dotaxes ONLY ... ;

That works in my simple (own) Forth and also in gforth.

I wonder if that is a portable technique?

Groetjes Albert

P.S. My Forth ignores comma's in numbers. It doable by >NUMBER
but that is a pain.
--
"in our communism country Viet Nam, people are forced to be
alive and in the western country like US, people are free to
die from Covid 19 lol" duc ha
albert@spe&ar&c.xs4all.nl &=n http://home.hccnet.nl/a.w.m.van.der.horst

On 30 Apr 2022 at 14:38:52 CEST, "none) (albert" <none) (albert> wrote:

> I'm doing my taxes and i have to evaluate strings like "4,54"
> resulting in a number of cents.
> A do a precaution, I want that numbers are only recognized
> after ONLY, i.e. in the minimum search order, to prevent
> executing of arbitrary strings, such
> " ""rm *"" SYSTEM ".
>
> So I begin the dotaxes word
>
> : dotaxes ONLY ... ;
>
> That works in my simple (own) Forth and also in gforth.
>
> I wonder if that is a portable technique?

I'm not convinced that ONLY is sufficiently defined for you.

"Set the search order to the implementation-defined minimum search order. The
minimum search order shall include the words FORTH-WORDLIST and SET-ORDER.
"

The ANS/Forth200x/Forth202x failure to define how number separators can be
defined is a problem that forces people to bury tools. MPE Forths have allowed
users to define separators for 25+ years.

Stephen

--
Stephen Pelc, stephen@vfxforth.com
MicroProcessor Engineering, Ltd. - More Real, Less Time
133 Hill Lane, Southampton SO15 5AF, England
tel: +44 (0)23 8063 1441, +44 (0)78 0390 3612, +34 649 662 974
http://www.mpeforth.com - free VFX Forth downloads

albert@cherry.(none) (albert) writes:
>I'm doing my taxes and i have to evaluate strings like "4,54"
>resulting in a number of cents.
>A do a precaution, I want that numbers are only recognized
>after ONLY

I assume you mean that you only want to use EVALUATE, but only
recognize numbers.

>i.e. in the minimum search order, to prevent
>executing of arbitrary strings, such
>" ""rm *"" SYSTEM ".
>
>So I begin the dotaxes word
>
>: dotaxes ONLY ... ;
>
>That works in my simple (own) Forth and also in gforth.

It's not clear what's up with the quotes in the example above, but in
Gforth you can break out of ONLY with FORTH (ONLY is not SEAL, and
even SEAL is not what you want). E.g.

only forth
s" evil-command" system

You can also break out of ONLY with FORTH in iForth, lxf, SwiftForth,
and VFX.

If you want to remove all word lists from the search order, use

0 set-order

- anton
--
M. Anton Ertl http://www.complang.tuwien.ac.at/anton/home.html
comp.lang.forth FAQs: http://www.complang.tuwien.ac.at/forth/faq/toc.html
New standard: http://www.forth200x.org/forth200x.html
EuroForth 2021: https://euro.theforth.net/2021

In article <2022Apr30.193157@mips.complang.tuwien.ac.at>,
Anton Ertl <anton@mips.complang.tuwien.ac.at> wrote:
>albert@cherry.(none) (albert) writes:
>>I'm doing my taxes and i have to evaluate strings like "4,54"
>>resulting in a number of cents.
>>A do a precaution, I want that numbers are only recognized
>>after ONLY
>
>I assume you mean that you only want to use EVALUATE, but only
>recognize numbers.
>
>>i.e. in the minimum search order, to prevent
>>executing of arbitrary strings, such
>>" ""rm *"" SYSTEM ".
>>
>>So I begin the dotaxes word
>>
>>: dotaxes ONLY ... ;
>>
>>That works in my simple (own) Forth and also in gforth.
>
>It's not clear what's up with the quotes in the example above, but in

As long as the prefix " was not ISO anyway I adopted the ALGOL68
convention that you can insert " in a string by doubling it.
I was not prepared to invent a string denotation that doesn't
allow me to define strings of printable characters. (AD MMI that was).

>Gforth you can break out of ONLY with FORTH (ONLY is not SEAL, and
>even SEAL is not what you want). E.g.
>
>only forth
>s" evil-command" system

That was what I wanted to prevent. So no forth-wordlist in the
search-order containing the evil `SYSTEM command.

>
>You can also break out of ONLY with FORTH in iForth, lxf, SwiftForth,
>and VFX.

And ciforth. Everybody uses
`` ONLY FORTH ''
That is not the way the standard expects it apparently.
You are supposed to do
`` forth-wordlist 1 set-order ''
because it is not guaranteed that FORTH is in the minimum search order.
(Last time I looked.)

>
>If you want to remove all word lists from the search order, use
>
>0 set-order

The trick^H^H^H^H technique works in gforth and mpe forth.
: test ONLY S" 1 2 3 DROP" EVALUATE ; redefined test ok
test
*evaluated string*:-1: Undefined word
1 2 3 >>>DROP<<<
Backtrace:
....

What you recommend, works also in ciforth and gforth.

ONLY FORTH ok
: test 0 set-order S" 1 2 3 DROP" EVALUATE ; redefined test ok
test
*evaluated string*:-1: Undefined word
1 2 3 >>>DROP<<<

It works more or less in mpe forth, but you cannot recover
from `` 0 set-order '' . You can only type ^C .
`` ONLY FORTH '' doesn't help. This is certainly a
viable interpretation of the standard, making ONLY the
best portable way to have the Forth system understand numbers
("denotations") only.

>- anton

Groetjes Albert

P.S.
I'm doing my taxes, and an unbridled EVALUATE feels not right.

: doit ONLY
"ING1742206_2021.csv" SLURP-FILE TRANSACTIONS 2!
"recipients.txt" SLURP-FILE DONATIONS 2!
process-recipients ;

Making this into a turnkey, it is not a big deal that the (mpe)
interpreter is messed up, so either technique works.
--
"in our communism country Viet Nam, people are forced to be
alive and in the western country like US, people are free to
die from Covid 19 lol" duc ha
albert@spe&ar&c.xs4all.nl &=n http://home.hccnet.nl/a.w.m.van.der.horst

On 2022-05-01 13:27, albert wrote:
> In article <2022Apr30.193157@mips.complang.tuwien.ac.at>,
> Anton Ertl <anton@mips.complang.tuwien.ac.at> wrote:
>> albert@cherry.(none) (albert) writes:
>>> I'm doing my taxes and i have to evaluate strings like "4,54"
>>> resulting in a number of cents.
>>> A do a precaution, I want that numbers are only recognized
>>> after ONLY
>>
>> I assume you mean that you only want to use EVALUATE, but only
>> recognize numbers.
>>
[...]

>> Gforth you can break out of ONLY with FORTH (ONLY is not SEAL, and
>> even SEAL is not what you want). E.g.
>>
>> only forth
>> s" evil-command" system
>
> That was what I wanted to prevent. So no forth-wordlist in the
> search-order containing the evil `SYSTEM command.
>

[...]
>>
>> If you want to remove all word lists from the search order, use
>>
>> 0 set-order
>
> The trick^H^H^H^H technique works in gforth and mpe forth.
> : test ONLY S" 1 2 3 DROP" EVALUATE ; redefined test ok
> test
> *evaluated string*:-1: Undefined word
> 1 2 3 >>>DROP<<<
> Backtrace:
> ...
>
> What you recommend, works also in ciforth and gforth.
>
> ONLY FORTH ok
> : test 0 set-order S" 1 2 3 DROP" EVALUATE ; redefined test ok
> test
> *evaluated string*:-1: Undefined word
> 1 2 3 >>>DROP<<<
>
> It works more or less in mpe forth, but you cannot recover
> from `` 0 set-order '' . You can only type ^C .
> `` ONLY FORTH '' doesn't help. This is certainly a
> viable interpretation of the standard, making ONLY the
> best portable way to have the Forth system understand numbers
> ("denotations") only.

You have to use CATCH and restore the search order.

: within-order-execute ( i*x xt i*wid u.i -- j*x )
get-order n>r set-order catch nr> set-order throw
;
: string-to-numbers ( sd.numbers -- i*x ) ( f: -- j*r )
['] evaluate 0 within-order-execute
;
: string-to-numbers-count ( f: -- j*r )
( sd.numbers -- i*x u.i-integers u.j-floats )
fdepth >r depth 2 - >r string-to-numbers depth r> - fdepth r> -
;
: s-to-n ( sd.number -- x )
string-to-numbers-count swap 1 <> or
abort" Error: not a single integer"
;

\ test
s" 1 2 3" string-to-numbers . . . \ "3 2 1"
s" 1 2 3 also forth drop" string-to-numbers \ error

--
Ruvim

albert@cherry.(none) (albert) writes:
>In article <2022Apr30.193157@mips.complang.tuwien.ac.at>,
>Anton Ertl <anton@mips.complang.tuwien.ac.at> wrote:
>>only forth
>>s" evil-command" system
>
>That was what I wanted to prevent. So no forth-wordlist in the
>search-order containing the evil `SYSTEM command.

Does not help if you can change the search order.

>Everybody uses
>`` ONLY FORTH ''
>That is not the way the standard expects it apparently.
>You are supposed to do
>`` forth-wordlist 1 set-order ''
>because it is not guaranteed that FORTH is in the minimum search order.
>(Last time I looked.)

FORTH is SEARCH-EXT, just like ONLY.

But it does not matter whether you use FORTH, or FORTH-WORDLIST 1
SET-ORDER. It means that ONLY is not a way to prevent an attacker
from doing everything Forth can do.

>>If you want to remove all word lists from the search order, use
>>
>>0 set-order
>
>The trick^H^H^H^H technique works in gforth and mpe forth.
>: test ONLY S" 1 2 3 DROP" EVALUATE ; redefined test ok
>test
>*evaluated string*:-1: Undefined word
>1 2 3 >>>DROP<<<
>Backtrace:
>...

: test ONLY S" 1 2 3 FORTH DROP" EVALUATE ; ok
test ok 2
..s <2> 1 2 ok 2

: test1 only s\" forth s\" echo *\" system" evaluate ; cr test1
\ output: #Makefile# #timings.sc~ 2012words.fs AUTHORS ...

Now try replacing "echo" with "rm".

>It works more or less in mpe forth, but you cannot recover
>from `` 0 set-order '' .

Sure I can, and Ruvim told you how you can, too.

- anton
--
M. Anton Ertl http://www.complang.tuwien.ac.at/anton/home.html
comp.lang.forth FAQs: http://www.complang.tuwien.ac.at/forth/faq/toc.html
New standard: http://www.forth200x.org/forth200x.html
EuroForth 2021: https://euro.theforth.net/2021

On Saturday, April 30, 2022 at 7:38:56 AM UTC-5, none albert wrote:
> A do a precaution, I want that numbers are only recognized
> after ONLY, i.e. in the minimum search order, to prevent
You inspired me to implement ONLY that works with FIG vocabularies.
Readily done:
i. Create a vocabulary, VOC0, to be minimal:
forth definitions
vocabulary voc0
voc0 definitions
: fths Forth Definitions ;
fths
i. Now for the FIG part need to link the first (and only) word in
voc0 to the null word in Forth vocabulary. Note, I moved the null
word to the start of the dictionary before LIT so that only the
null word will be linked into voc0:
' lit nfa
hex
{ begin c1 over @ - while cell- repeat } e \ find null word's nfa, C1
decimal
voc0
' fths lfa ! \ link first word in voc0 to null word
fths
i. : ONLY voc0 definitions ;

That's it.
only 1 2 3 \ input numbers
fths . . . \ ==> 3 2 1 , do something with the numbers

In my enhanced interpreter I can also get enclosed strings:
only 42 "Today's number is "
fths count type . \ => Today's number is 42

May not provide much, just some savings of search time but it doesn't
cost anything. It didn't change core other than moving the null word
around. The feature can be left out and loaded when desired.

--
me