Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EQUAL? tests hidden values #1778

Closed
Siskin-Bot opened this issue Feb 15, 2020 · 1 comment
Closed

EQUAL? tests hidden values #1778

Siskin-Bot opened this issue Feb 15, 2020 · 1 comment
Labels
Datatype: object! Oldes.resolved Bugs/wishes with Oldes' fixes/features Protection Status.important Test.written Type.bug

Comments

@Siskin-Bot
Copy link
Collaborator

Submitted by: mikerev

EQUAL? should ignore hidden values, otherwise you can determine the value by brute force testing. Equality functions should not consider the value or names of hidden fields.

>> equal? context [a: 1 protect/hide 'a] context [a: 2 protect/hide 'a]
== false  ; should be true
>> equal? context [a: 1 protect/hide 'a] context [a: 1 protect/hide 'a]
== true
>> equal? context [a: 1 protect/hide 'a] context [b: 1 protect/hide 'b]
== false  ; should be true
>> equal? context [a: 1 protect/hide 'a] context [a: 1]
== true  ; should be false
>> equal? context [a: 1 protect/hide 'a] context []
== false  ; should be true, or false if the existence of a hidden field matters

Imported from: CureCode [ Version: alpha 110 Type: Bug Platform: All Category: Security Reproduce: Always Fixed-in:none ]
Imported from: metaeducation#1778

Comments:

Rebolbot commented on Nov 24, 2010:

Submitted by: Sunanda

Nice catch.

I'd agree -- FALSE is better; better still may be a "can't compare objects with hidden fields" error.

The current behaviour allows the value of 'a to be recovered:

o1: context [a: 57 protect/hide 'a]
o2: context [a: 1]
while [o1 <> o2] [o2/a: o2/a + 1]
probe o2
== make object! [
    a: 57
]

In real life it may not be so simple (especially if there were more hidden variables, and 'a were not an integer), but it should not be possible at all.

Rebolbot commented on Nov 25, 2010:

Submitted by: BrianH

It's a security issue. A lot of contexts will have hidden fields so we shouldn't just refuse to compare the whole context, but we should follow the general pattern of pretending that the fields don't exist, at least for comparison purposes. Ticket tweaked accordingly, and more examples added.

We might want them to consider whether a hidden field (or whatever name) is there, or we might want to pretend the hidden fields are not there at all. If we ignore the existence of hidden fields altogether then you will get objects that are equal even though their lengths are not - this might be acceptable. If we allow the existence of hidden fields to matter to the equality functions, then we might consider whether to ignore their position in the object, since that doesn't really matter. Whichever seems the most appropriate.

Rebolbot added Type.bug and Status.important on Jan 12, 2016
@Oldes Oldes added Test.written Oldes.resolved Bugs/wishes with Oldes' fixes/features labels Jun 20, 2023
@Oldes
Copy link
Owner

Oldes commented Jun 20, 2023

Objects must have same length (to have the equality check faster), so the existence of hidden fields does matter.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Datatype: object! Oldes.resolved Bugs/wishes with Oldes' fixes/features Protection Status.important Test.written Type.bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Oldes @Siskin-Bot