[ic] reparse security risk

ic at unrendered.org ic at unrendered.org
Mon May 16 14:33:32 EDT 2005

Hi --

I'm running Interchange 5.2.0. I've just come across a security hole on
one of my sites with reparsing [perl] output in custom code. An example
looks something like this:

[perl] return $CGI->{email}?$CGI->{email}:$CGI->{mv_username} [/perl]

This allows users to run arbitrary ITL code just by submitting it in
their email address, since the output of the [perl] tag will be reparsed
by default. Of course the issue can be addressed by changing it to

[perl reparse=0] return $CGI->{email}?$CGI->{email}:$CGI->{mv_username}

My questions are:

1) This behavior seems very nonintuitive. What are the general best
practices in Interchange to avoid accidentally parsing user data?

2) Is there any global fix I can apply, along the lines of making
reparse default to 0 for perl blocks, or do I just have to revisit each


More information about the interchange-users mailing list