Be Careful

Post your Gambas programming questions here.
Post Reply
pmb
Posts: 2
Joined: Saturday 27th June 2020 7:44pm

Be Careful

Post by pmb »

Hello. First Post.

In the past, I created a password manager. First in VB and then eventually it was migrated to Gambas. It runs with a separate file for the accounts and passwords. I have used it thousands of times. I run it from the IDE primarily to see any errors that are generated, if any. There have been no errors in years.

Recently I ran the app from the compiled version on a stick and I was very surprised. None of the accounts and passwords matched, I checked and double checked and triple checked the data file and nothing was wrong. The IDE copy worked well.

After some creative thinking, I checked the compiled app with Okteta (hex editor) and searched for some of the new reported entries. To my surprise my entire password file from long ago was stored in the compiled version. Everything!

The data file is retrieved through a "hFile = Open . . ." at the beginning of the programming code. It is my guess that the compiling brings in all the open file references, possibly to save time and resources. Every time a user compiles a new copy then the file is retrieved and updated.

I changed my code to incorporate a dialog file open instead of the old code. This way the app does not know what file is to be retrieved.

In conclusion, I will say that if a file is referenced in your code then the contents are probably in the compiled code. I know from previous experience that whatever is in the 'img' directory is captured and added to the compiled version possibly bloating the app with unused images.

It appears that my own program is a huge security risk. Check your compiled code for other things that may have snook in especially if you are cutting your app loose in the wild.

Hope this helps someone.

pmb
pmb
Posts: 2
Joined: Saturday 27th June 2020 7:44pm

Re: Be Careful

Post by pmb »

A correction!

The caution is valid but my research was flawed. When I searched the compiled program the second time for the offending text file I searched for the wrong word. Instead of searching for ***_***, I searched for ******. The search returned zarro. I can blame it on a senior moment!

The cause of the included file seemed to be that any file residing in the IDE directory will be automatically included in the compiled code, the same as the 'img' directory. I have not tried to create a directory such as 'data' and lodge the text file there but I will follow up on this.

Hope this helps. Sorry for the misdirection.

pmb
Post Reply