Ansicht
Dokumentation

ABENDYN_CALL_SCRTY - DYN CALL SCRTY

ABENDYN_CALL_SCRTY - DYN CALL SCRTY

BAL_S_LOG - Application Log: Log header data   PERFORM Short Reference  
This documentation is copyright by SAP AG.
SAP E-Book

Dynamic Calls

In dynamic calls, the name of the called unit is specified as the content of a character-like data object. If some or all of this content originates outside of the calling program, there is a risk that units are called unintentionally. The only way of tackling this security risk is to perform a comparison with an include list. The class CL_ABAP_DYN_PRG provides the methods CHECK_WHITELIST_STR and CHECK_WHITELIST_TAB for that purpose.

Potential dynamic calls and hence a potential security risk when handling input can occur in the following cases:

  • When an executable program is specified dynamically after SUBMIT.
  • When classes and methods are specified dynamically in a dynamic method call using CALL METHOD.
  • When a class is specified dynamically in CREATE OBJECT (a dynamic call of the instance constructor).
  • When the function module is specified dynamically in a function module call using CALL FUNCTION (particularly if RFC is used).
  • When subroutines and programs are specified dynamically in dynamic subroutine calls using PERFORM.
  • When the system function is specified dynamically in the internal statement CALL.

Note

As well as checking intentional calls, it is also necessary to perform a sufficient authorization check on the current user in program calls.

Example

In the following program section, a transaction name, when entered, is checked against an include list that contains only transactions from the ABAP example library.






Fill RESBD Structure from EBP Component Structure   PERFORM Short Reference  
This documentation is copyright by SAP AG.

Length: 2639 Date: 20240329 Time: 113029     sap01-206 ( 42 ms )