Thanks rejetto for your reply.
It would be very interesting to have a way to {load} files containing macros from the secure hfs.exe (i call it sys) folder, as the template i'm working with is not a standalone-template, but some kind of flexible template-building-kit, that should allow including or not different features by the templatebuilder. So, instead of having one big template there is a number of alternative include-files.
As all this files will be in te secure sys-folder, i see no way to compromise the security of hfs with this option. Also, as you don't allow upload of or renaming of .tpl files there could be an additional security allowing macro execution only form .tpl files
The feature is also especialy interesting while developping: i can include debug sections, and what is very time efficient, is having sections under constructions (and loaded) in the notepad++, this means there is no need to return to the hfseditor to import and apply: simply reloading the page uses the modified code from notepad++.
Also this feature allows hfs to be used as a toolkit, for example for the admin-user to build html-tables from .csv (comma separated values) files. If features like that and many others only are included if a special condition is met, this allows to maintain the main .tpl file in a reasonable size.
Resuming: For my work there is a need to load files with executable macros from the secure sys folder. I see two possible secure solutions for this:
a) if {.load...} loads a file (check that ther is only a filename and no full path) from the secure sys folder, allow macro execution as this code where simply included in that place.
b) create a {.sload|filename.} (alt. names: sysload, include...) macro to achieve this special behaviour accepting only filenames without path, using the path of hfs.exe.
I am using now this feature with build #178, and it works really great.
Thanks
bacter
« Last Edit: February 26, 2008, 04:50:01 PM by bacter »
your computer has no brain - use your own !