A

Anonymous

Question

Client incorrect RMI - am i right ? if so, please fix or provide sollution

Forum|Forum|16 years ago
March 5, 2010
2 replies
658 views

I invistigated fms 3.5 and discovered it uses SpiderMonkey Javascript 1.5 (correct me if i am wrong)

Now, this version of SpiderMonkey supports Object.prototype.__noSuchMethod__

If this is implemented, a function like:

function(mName, mArgs){

}

is invoked whenever a method that does not exist in the prototype is called.

for example, put this in a main.asc:

Client.prototype.__noSuchMethod__ = function(mName,mArgs) {

trace(mName + " was called");

}

application.onAppConnect = function(client) {

client.theMethod(); // <-this will trace "theMethod was called"

}

This is very useful, but things get ugly when a client side call is made, like

nc.call("theMethodFromClient")

Unlike expected, this will not go through __noScuhMethod__ but will default to triggering an error/warning that will call application.onStatus

Why does this behave so and not as expected ? (my guess is that when you implemented RMI for FMS in C/C++ code, you are testing only if the client has the nc.call invoked method name, otherwise to trigger error, but you ingnored to also test the Client prototype for __noSuchMethod__, in which case, no error should be triggered and default SpiderMonkey behavior should occur)

This is so sad as it would be very useful to split client side nc.calls into different service prototypes.

This topic has been closed for replies.

A

Anonymous

This method is not supported due to security issues it might lead to. If the server side script has defined __noSuchMethod__ as part of its design, it will be pretty easy to just send any exploits.

A

Anonymous

The previous answer is not a serious answer, hopefully is not an answer from an Adobe employee.

You answer is just like saying every other software platform there that allows dynamic invocation(almost all dynamic languages) is pretty easy to be prone on exploits.

Find the exploit please:

Client.prototype.__noSuchMethod__ = function(m, a) {

// here an exploit happens

trace("exploit me: " + m + " " + a);

}

Now an exploit would be something created by a client, this means that a RTMP client, through server side __noSuchMethod__ would be able to perform code injection. Inject code in the sample above.

FFS !!!

Asa_-_FMS

Adobe Employee

__noSuchMethod__ does work - I just tested it - but only from within script as was indicated. If you call from a NC.call then FMS' code intercepts that and won't call the noSuchMethod. There's not a security relation yet, other than that it's as you indicate weak to bad programming that you can have a known processing point for any method call, should it be implemented. That's not a good enough reason to prevent it, it'll just go in the pending hardening guide as a recommended best practice to avoid using it or at least carefully secure code usage within as it has a large call surface.

However all this is irrelevant because at the moment it's a missing feature of FMS/JS and we'd be happy to take an enhancement bug for adding it. Would you care to file one?

https://www.adobe.com/cfusion/mmform/index.cfm?name=wishform

Asa

A

Anonymous

Apply a _resolve() method to the object to handle undefined members.

SomeClass.prototype._resolve = function(){

// handle it

}

someObject._resolve = function(){

// handle it

}

A

Anonymous

Nope, _resolve is for missing properties not for missing methods

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded