[ic] perl code in mv_check gets executed despite verification
failure
John Allman
interchange-users@icdevgroup.org
Thu Feb 20 12:30:01 2003
Ed LaFrance wrote:
> At 10:51 AM 02/20/2003 +0000, you wrote:
>
>> Ed LaFrance wrote:
>>
>>>
>>> mv_check execution is not predicated on all form checks passing
>>> successfully; mv_check gets parsed after IC data structures are
>>> updated by the from submission, that is all. Your explanation above
>>> does not clearly explain how you expect to conditionally parse the
>>> mv_check target. As is always the case with Interchange, there are
>>> many ways. For instance, you could use &success=somepage to pass
>>> execution through somepage.html if the form passes all checks, and
>>> execute your code there.
>>>
>>> - Ed L.
>>
>> Problem with that is that people would be able to get at
>> somepage.html and execute the code anyway:(
>>
>> thanks for the help
>>
>> John
>
>
> That can be prevented; for instance:
>
> [set yourprofile]
> ...
> &success=../special_pages/somepage.html
> [/set]
>
> ..AFAIK it is not possible to get a page from the special_pages dir by
> constructing a simple URL with no query strings, so that would prevent
> people from arbitrarily hitting it. To stop someone who might be
> inclined to send a form via a query string to get at it, you can just
> use &calc to set a flag in the profile to show that execution was sent
> to the special page from the proper method:
>
> [set yourprofile]
> &calc = delete $CGI->{ok_to_parse}; 1; # can't hurt, I would
> think
> ...
> &success=../special_pages/somepage.html
> &calc = $CGI->{ok_to_parse} = '1';
> [/set]
>
> ...then on special_pages/somepage.html
>
> [if cgi ok_to_parse]
> # do stuff
> [else]
> # hey, get lost!
> [bounce page=index]
> [/else]
> [/if]
I know i'm stretching the point a little here. but if i understand that,
then somebody could (if they knew what was required) set ok_to_parse in
the query string, no?
thanks
John