Path: utzoo!news-server.csri.toronto.edu!cs.utexas.edu!usc!rpi!uupsi!sunic!fuug!funic!santra!news
From: alo@kampi.hut.fi (Antti Louko)
Newsgroups: comp.lang.postscript
Subject: Why systemdict is not writeable?
Message-ID: <1991Mar15.075038.18944@santra.uucp>
Date: 15 Mar 91 07:50:38 GMT
Sender: news@santra.uucp (Cnews - USENET news system)
Organization: Helsinki University of Technology
Lines: 68

Some time ago I had to implement a page count restriction feature for
our spooled LaserWriters. First I considered changing some of the
device-dependent routines, (redwrite etc. I don't remember anymore)
but fortunately I decided to take another approach.

I decided replace showpage and copypage operator by my own routines
which first check page limit and then to actual showpage or copypage
or stop if the page count is exceeded.

A portion of this mess looks something like this:

/hiddendict 100 dict begin
    /checkpagelimit {
	...
    } bind executeonly def
    /systemdict dup load def
    /showpage-orig /showpage load
   currentdict
end def

/showpage {
    //hiddendict begin
	checkpagelimit
	old-systemdict /showpage get exec
    end
} bind executeonly def

/hiddendict 0 def

But this didn't solve the whole problem. The original systemdict was
still accessible and a malicious user can redefine showpage to the
original one and defeat pagelimit. Well, I made a copy of systemdict
and put it in userdict. Now users cannot access systemdict. Wrong, he
can still access it using "dictstack" or "where" operators. I had to
replace those, too. I am not still sure that user cannot get the
original systemdict with some trick.

Moral of the story:

systemdict should be writeable!

	Antti Louko (alo@hut.fi)
	Helsinki University of Technology
	Computing Centre
	Otakaari 1
	SF-02150, Espoo
	FINLAND
	tel. work +358 0 4514314
	telefax   +358 0 464788

P.S.

Should I redefine eexec, too. If it is redefined, user cannot include
Type 1 fonts in his jobs. If it is not redefined, user can get
showpage by eexec-encrypting

/showpage load
currentfile closefile

and feeding it to eexec.

An alternative for writebale systemdict would be to add

setsystemdict operator which would effectively replace systemdict
everywhere in the PostScript interpreter. It would suffice if it would
be in the internaldict.

I would really appreciate comments from Adobe, too.