[ic] reparse security risk

Mike Heins mike at perusion.com
Mon May 16 15:18:06 EDT 2005

Quoting ic at unrendered.org (ic at unrendered.org):
> Hi --
> I'm running Interchange 5.2.0. I've just come across a security hole on
> one of my sites with reparsing [perl] output in custom code. An example
> looks something like this:
> [perl] return $CGI->{email}?$CGI->{email}:$CGI->{mv_username} [/perl]
> This allows users to run arbitrary ITL code just by submitting it in
> their email address, since the output of the [perl] tag will be reparsed
> by default. Of course the issue can be addressed by changing it to
> [perl reparse=0] return $CGI->{email}?$CGI->{email}:$CGI->{mv_username}
> [/perl]
> My questions are:
> 1) This behavior seems very nonintuitive. What are the general best
> practices in Interchange to avoid accidentally parsing user data?
> 2) Is there any global fix I can apply, along the lines of making
> reparse default to 0 for perl blocks, or do I just have to revisit each
> block?

We warn against returning $CGI values in the programming section, and
we give examples of how you can scrub things.

You should always use $Values objects for this type of thing, which don't
allow ITL introduction sequences.

You can set reparse=0 easily in interchange.cfg:

    UserTag perl Reparse 0

We might consider doing that, as these days returning ITL to parse
is passe.

Mike Heins
Perusion -- Expert Interchange Consulting    http://www.perusion.com/
phone +1.765.647.1295  tollfree 800-949-1889 <mike at perusion.com>

Fast, reliable, cheap.  Pick two and we'll talk.  -- unknown

More information about the interchange-users mailing list