[ic] perl code in mv_check gets executed despite verification failure

Ed LaFrance interchange-users@icdevgroup.org
Thu Feb 20 12:50:00 2003 

At 05:35 PM 02/20/2003 +0000, you wrote:
>Ed LaFrance wrote:
>
>>At 10:51 AM 02/20/2003 +0000, you wrote:
>>
>>>Ed LaFrance wrote:
>>>
>>>>
>>>>mv_check execution is not predicated on all form checks passing 
>>>>successfully; mv_check gets parsed after IC data structures are updated 
>>>>by the from submission, that is all. Your explanation above does not 
>>>>clearly explain how you expect to conditionally parse the mv_check 
>>>>target. As is always the case with Interchange, there are many ways. 
>>>>For instance, you could use &success=somepage to pass execution through 
>>>>somepage.html if the form passes all checks, and execute your code there.
>>>>
>>>>- Ed L.
>>>
>>>Problem with that is that people would be able to get at somepage.html 
>>>and execute the code anyway:(
>>>
>>>thanks for the help
>>>
>>>John
>>
>>
>>That can be prevented; for instance:
>>
>>[set yourprofile]
>>         ...
>>         &success=../special_pages/somepage.html
>>[/set]
>>
>>..AFAIK it is not possible to get a page from the special_pages dir by 
>>constructing a simple URL with no query strings, so that would prevent 
>>people from arbitrarily hitting it. To stop someone who might be inclined 
>>to send a form via a query string to get at it, you can just use &calc to 
>>set a flag in the profile to show that execution was sent to the special 
>>page from the proper method:
>>
>>[set yourprofile]
>>         &calc = delete $CGI->{ok_to_parse}; 1;  # can't hurt, I would think
>>         ...
>>         &success=../special_pages/somepage.html
>>         &calc = $CGI->{ok_to_parse} = '1';
>>[/set]
>>
>>...then on special_pages/somepage.html
>>
>>[if cgi ok_to_parse]
>>         # do stuff
>>[else]
>>         # hey, get lost!
>>         [bounce page=index]
>>[/else]
>>[/if]
>
>I know i'm stretching the point a little here.

I would be inclined to agree...

>but if i understand that, then somebody could (if they knew what was 
>required) set ok_to_parse in the query string, no?
>
>thanks
>
>John

Yes, if they knew of it's existence. The var could also be named 
oi2457093qfbdwyfq209tr093rhfe, which would make guessing rather difficult. 
Or you could use the scratch space instead:

[set yourprofile]
         &calc = delete $Scratch->{ok_to_parse}; 1;
         ...
         &success=../special_pages/somepage.html
         &calc = $Scratch->{ok_to_parse} = '1';
[/set]

...then on special_pages/somepage.html

[if scratch ok_to_parse]
         [set ok_to_parse][/set]
         # do stuff
[else]
         # hey, get lost!
         [bounce page=index]
[/else]
[/if]

- Ed L.

===============================================================
New Media E.M.S.              Technology Solutions for Business
463 Main St., Suite D         eCommerce | Consulting | Hosting
Placerville, CA  95667        edl@newmediaems.com
(530) 622-9421                http://www.newmediaems.com
(866) 519-4680 Toll-Free      (530) 622-9426 Fax
===============================================================