[ic] [loop-code] interpolation = security risk?
jon at endpoint.com
Thu Oct 23 00:07:11 UTC 2014
On Wed, 22 Oct 2014, Grant wrote:
> "some places" in the demo store or in people's code in general?
I don't recall, but it doesn't much matter. Most IC5 code is being written
on existing catalogs, not based on whatever is in the demo today. :)
> Maybe a catalog directive to enable/disable the landmines?
That would be fine with me. A patch would be welcome.
>> If you need to use IC5, I'd recommend moving loop logic into a Perl
>> module that you then invoke from a usertag, or something similar. Then
>> you'll have a lot more safety and control, and usually more speed too.
> I'm sorry to hear that. Should ITL generally be avoided for security,
> or just [loop]?
I don't think any of it needs to be avoided for security; this is a
general observation that has always been true in my opinion. Compiled Perl
that has strict and warnings checks is simply a better environment for
programming in that the ad-hockery that is ITL. But I don't know of any
security problems with ITL in general.
Even what you pointed out is typically not going to be a security problem
because Interchange escapes [ characters coming from the wild and your
database. I don't think it's ideal, but I also don't think it's worth
fighting with ITL in the absence of a clearly exploitable vulnerability.
> Is IC6 ready for prime time?
Not yet, but it's getting closer!
You're an experienced Interchange developer, so I think this is a good
time for someone like you to get involved with IC6. It'll be ready for
prime time a lot quicker if we have more people involved porting sites to
it, or starting new ones.
End Point Corporation
More information about the interchange-users