The exec-function is described here: http://squirrel-lang.org/doc/sqstdlib2.html#d0e1925.
Ah, though it's called
system, I must be blind for not having found that. Thanks
Although I 'm the one who did this, I doubt we gained any security at all
It is the only sensible thing to do, though.
Scripts are not only embeddable in wizards, but also in other places (for example project files). People are not necessarily aware of this, neither do antivirus packages necessarily scan project files (for example, I remember from back in the old days when I was foolish enough to use Nerfton, the default setting would only scan a small subset of files).
It is also unclear inhowfar the mighty heuristic algorithms found in today's virus scanners are able to scan scripts for unknown malicious code at all (in particular squirrel, which is probably not even considered being "code" by most). I'd rather believe they don't do much.
Given functions that can modify files, rename and move files and folders, and execute external programs, scripts are quite a dangerous tool. Embedded scripts are a necessary evil, but they should be as safe as can be. Even then we can never be 100% sure that there is no exploit, but we have done what we can.
While it is true that a plugin could do all of that (and more) too, it is a much more obvious threat. Every user is probably aware of this possibility, and can decide whether or not to take that risk (or could read the sources and recompile the plugin from source).
It is true, too, that I can always ship a makefile that contains a
rm /* or some other evil stuff. However, one thing being insecure does not justify making another thing insecure, too (actually I am thinking right now whether it may be a good idea to allow turning off custom makefiles entirely, since most people don't use them anyway).
From a user's point of view, knowing that scripts can be embedded in so many subsystems and a script is able to damage my system or install malware would be a good reason to stop using Code::Blocks for me.
I refuse to look at Word and PowerPoint documents that people send to me for the same reason, even if it's people that I have known for 10 years.
If a user downloads an evil script from an evil website, is it our responsibility to stop that script from doing harm?
Do you work for Microsoft? :lol:
Just wondering... sounds like IE's standard mode of operation