[ic] perl code in mv_check gets executed despite verification failure

John Allman interchange-users@icdevgroup.org
Fri Feb 21 04:28:01 2003


Ed LaFrance wrote:

> At 05:35 PM 02/20/2003 +0000, you wrote:
>
>> Ed LaFrance wrote:
>>
>>> At 10:51 AM 02/20/2003 +0000, you wrote:
>>>
>>>> Ed LaFrance wrote:
>>>>
>>>>>
>>>>> mv_check execution is not predicated on all form checks passing 
>>>>> successfully; mv_check gets parsed after IC data structures are 
>>>>> updated by the from submission, that is all. Your explanation 
>>>>> above does not clearly explain how you expect to conditionally 
>>>>> parse the mv_check target. As is always the case with Interchange, 
>>>>> there are many ways. For instance, you could use &success=somepage 
>>>>> to pass execution through somepage.html if the form passes all 
>>>>> checks, and execute your code there.
>>>>>
>>>>> - Ed L.
>>>>
>>>>
>>>> Problem with that is that people would be able to get at 
>>>> somepage.html and execute the code anyway:(
>>>>
>>>> thanks for the help
>>>>
>>>> John
>>>
>>>
>>>
>>> That can be prevented; for instance:
>>>
>>> [set yourprofile]
>>>         ...
>>>         &success=../special_pages/somepage.html
>>> [/set]
>>>
>>> ..AFAIK it is not possible to get a page from the special_pages dir 
>>> by constructing a simple URL with no query strings, so that would 
>>> prevent people from arbitrarily hitting it. To stop someone who 
>>> might be inclined to send a form via a query string to get at it, 
>>> you can just use &calc to set a flag in the profile to show that 
>>> execution was sent to the special page from the proper method:
>>>
>>> [set yourprofile]
>>>         &calc = delete $CGI->{ok_to_parse}; 1;  # can't hurt, I 
>>> would think
>>>         ...
>>>         &success=../special_pages/somepage.html
>>>         &calc = $CGI->{ok_to_parse} = '1';
>>> [/set]
>>>
>>> ...then on special_pages/somepage.html
>>>
>>> [if cgi ok_to_parse]
>>>         # do stuff
>>> [else]
>>>         # hey, get lost!
>>>         [bounce page=index]
>>> [/else]
>>> [/if]
>>
>>
>> I know i'm stretching the point a little here.
>
>
> I would be inclined to agree...
>
>> but if i understand that, then somebody could (if they knew what was 
>> required) set ok_to_parse in the query string, no?
>>
>> thanks
>>
>> John
>
>
> Yes, if they knew of it's existence. The var could also be named 
> oi2457093qfbdwyfq209tr093rhfe, which would make guessing rather 
> difficult. Or you could use the scratch space instead:
>
> [set yourprofile]
>         &calc = delete $Scratch->{ok_to_parse}; 1;
>         ...
>         &success=../special_pages/somepage.html
>         &calc = $Scratch->{ok_to_parse} = '1';
> [/set]
>
> ...then on special_pages/somepage.html
>
> [if scratch ok_to_parse]
>         [set ok_to_parse][/set]
>         # do stuff
> [else]
>         # hey, get lost!
>         [bounce page=index]
> [/else]
> [/if]
>
> - Ed L.

Yeah - that occured to me overnight:) I guess that's what i'll do as i'm 
sure it'll work. Would love to get Mike's solution working though as i 
think its more flexible and would be more beneficial for me later. If 
anyone can suggest why it didn't work please let me know. Is it anything 
to do with the order of the statements in my profile? Anyway - thanks ed 
- that'll do nicely for now:)

thanks

John