[ic] reparse security risk
Mike Heins
mike at perusion.com
Mon May 16 15:18:06 EDT 2005
Quoting ic at unrendered.org (ic at unrendered.org):
> Hi --
>
> I'm running Interchange 5.2.0. I've just come across a security hole on
> one of my sites with reparsing [perl] output in custom code. An example
> looks something like this:
>
> [perl] return $CGI->{email}?$CGI->{email}:$CGI->{mv_username} [/perl]
>
> This allows users to run arbitrary ITL code just by submitting it in
> their email address, since the output of the [perl] tag will be reparsed
> by default. Of course the issue can be addressed by changing it to
>
> [perl reparse=0] return $CGI->{email}?$CGI->{email}:$CGI->{mv_username}
> [/perl]
>
> My questions are:
>
> 1) This behavior seems very nonintuitive. What are the general best
> practices in Interchange to avoid accidentally parsing user data?
>
> 2) Is there any global fix I can apply, along the lines of making
> reparse default to 0 for perl blocks, or do I just have to revisit each
> block?
We warn against returning $CGI values in the programming section, and
we give examples of how you can scrub things.
You should always use $Values objects for this type of thing, which don't
allow ITL introduction sequences.
You can set reparse=0 easily in interchange.cfg:
UserTag perl Reparse 0
We might consider doing that, as these days returning ITL to parse
is passe.
--
Mike Heins
Perusion -- Expert Interchange Consulting http://www.perusion.com/
phone +1.765.647.1295 tollfree 800-949-1889 <mike at perusion.com>
Fast, reliable, cheap. Pick two and we'll talk. -- unknown
More information about the interchange-users
mailing list