Many tutorials say to place some code in lib/file.js where it can run on both client and server.
Does that also allow the client to modify the code as they like? Thanks
Updating my answer to clarify what David is saying below:
You can change the definitions of any client-side accessible code you want. Server code itself cannot be changed while it's running unless you're using eval() or are able to mess with the file system from the client. This is important because even if you change the client code to do something that would potentially look malicious, the server code wouldn't execute that code as such since they are defined in two completely separate places (your machine on the client versus the actual server) If you mean can the client can see the code being executed, then yes, they'll be able to see the minified version of anything in lib/file.js.
Related
I am little unclear on the ‘secure sever code’ section of the meteor guide as to how code remains secure and accessible. I understand that you can place code in a server directory and call it from a place where code it shared, but how does this work with imports?
Won't you need to import the secure function into the shared code location so it works on the server. Yet, that secure code is not available on the client, as expected, so will create an error. Is there some sort of conditional import you have to set up (depending on whether the code is run on the server or client) to make this work?
Could someone let me know where my understanding on this topic is lacking?
Many thanks.
I am part of a popular forum that is all about sharing/selling Lua scripts, some are open source, some are not.
I would like to know if there is an automated way of identifying if a certain Lua script contains malicious code, for example : os.execute('format C:') , or just any os.execute command.
Because, even if we require the user to provide the moderators with a open source copy of his script, how can we be sure if it's the same? or he changes the link to his script.
Thanks in advance.
Run the scripts inside a sandbox and only allow for the safe commands to be executed. For example, disable os.execute. See Lua SandBoxes wiki page for Lua-specific details.
If you need to allow calls like os.execute, but need to filter out some calls, then there is probably not much chance to secure it based on code review. What if the code includes something like os.execute('for'..'mat C'..string.char(58))? You can't even detect that it's 'format C:' without some code execution.
I'm using minimongoid on my meteor project and I don't know if before Create and validations are done server side or client. Does anyone know ?
From its package.js file it looks like both! Also mentioned in the github readme.
So you can share the model files between the client and server. I'm not absolutely certain however that if you insert a model on the client and its been fiddled with by a hacker or something that it will be validated on the server automagically.
You might have to also validate it on the server too. The best place to do this would be in your collection's .allow method. Looking at the source of minimongoid there isn't anything tied up to .allow or .deny so you will need to validate it on the server with these.
I write a lot of code, most of it I throw away eventually when I am done with it; recently I was thinking that if I just kept every small piece of utility script I wrote, named it, tagged it and filed it in a dev shell, I will never loose the code, and on top of that I won't need to redo something I have done already, which is the main motivation, as I keep finding myself writing something I've done earlier.
Is there a ASP.NET shell style environment anywhere?
If not, what would be the best way to go about this?
I am looking to be able to do the following:
Write big or small bits of code.
Derive from or chain together alread written code/libraries/services.
Ability to have everything on my desktop (would that mean IIS on the desktop? or is there an lighter weight mechanism?), sync'ed with the server at home, so if I am on the move I can still access this and make this part of my day-to-day workflow.
You could build a unique solution, with many class library projects inside. Each project would address a specific scenario, something like this:
MyStuff (Solution)
MyStuff.Common
MyStuff.Validation
MyStuff.Web
MyStuff.Encryption
etc.
Then you can put this solution on an online versioning service like bitbucket or assembla, so you can access your source code from anywhere, edit it and commit it back to the server. This way you get the advantages of versioning and you store your code on a remote server so even if your harddisk breaks it's not a problem, cause what's on the server is what matters.
You should either look into a source control system (Git perhaps?) or into a file storage / syncing / sharing service like DropBox.
DropBox would allow you to access code snippets from wherever you are and works really easily (just drop a file into a folder).
If you need versioning and branching you're going to have to look into a source control system. Since you have a server at home, that should be no problem.
I need to download two Excel files onto the client, and then run a (diff) executable against them. I know how to download a single Excel file, from
here. But how to download a second one automatically in succession? And then how to run a batch command on them? Is this even realistic? Any guidance or pointers would be greatly appreciated.
Thanks,
Mike
To download multiple files at once you have two main options:
1) Just open multiple windows to your page generation script to download multiple files as per http://www.webdeveloper.com/forum/showpost.php?s=b4f6b25edeb6b7ea55434c4685a675fe&p=950225&postcount=6
2) Archive the files into a package (zip/arj/7z etc..) and send the archive to the client.
eg. http://www.motobit.com/tips/detpg_multiple-files-one-request/
As for doing the diff client-side that is a lot more tricky as Shhnap has already mentioned. If you are doing this for a controlled client base you may be able to get them to allow permissions for an ActiveX script that runs something client side. (Or fire off a console application) - but if you don't have fine control over the client environment then i can't think of a way to do it.
As Shhnap suggested can you not just do the comparison server-side (and then send this to the client as a third file?)
Well, just some pointers because I'm not sure I completely understand the problem. You a user to be given two downloads at the same time and then run a diff command against those two files? On the server or the client i'm not sure? You'll have alot of problems automating the client side version because forcing people to run client side code is usually frowned upon by virus protection software.
The server side diff sounds exactly like a CGI moment to me: http://www.cs.tut.fi/~jkorpela/perl/cgi.html. That will allow you to generate a web-page that shows the diff between the two. CGI allows you to run programs on your server and display their output in a webpage; that's the simple explanation.
If that was not quite what you wanted then feel free to give me a comment and i'll try and edit to answer correctly.