[ic] [loop-code] interpolation = security risk?

Jon Jensen jon at endpoint.com
Thu Oct 23 00:07:11 UTC 2014

On Wed, 22 Oct 2014, Grant wrote:

> "some places" in the demo store or in people's code in general?

I don't recall, but it doesn't much matter. Most IC5 code is being written 
on existing catalogs, not based on whatever is in the demo today. :)

> Maybe a catalog directive to enable/disable the landmines?

That would be fine with me. A patch would be welcome.

>> If you need to use IC5, I'd recommend moving loop logic into a Perl 
>> module that you then invoke from a usertag, or something similar. Then 
>> you'll have a lot more safety and control, and usually more speed too.
> I'm sorry to hear that.  Should ITL generally be avoided for security, 
> or just [loop]?

I don't think any of it needs to be avoided for security; this is a 
general observation that has always been true in my opinion. Compiled Perl 
that has strict and warnings checks is simply a better environment for 
programming in that the ad-hockery that is ITL. But I don't know of any 
security problems with ITL in general.

Even what you pointed out is typically not going to be a security problem 
because Interchange escapes [ characters coming from the wild and your 
database. I don't think it's ideal, but I also don't think it's worth 
fighting with ITL in the absence of a clearly exploitable vulnerability.

> Is IC6 ready for prime time?

Not yet, but it's getting closer!

You're an experienced Interchange developer, so I think this is a good 
time for someone like you to get involved with IC6. It'll be ready for 
prime time a lot quicker if we have more people involved porting sites to 
it, or starting new ones.


Jon Jensen
End Point Corporation

More information about the interchange-users mailing list