[ic] reparse security risk
ic at unrendered.org
ic at unrendered.org
Mon May 16 14:33:32 EDT 2005
Hi --
I'm running Interchange 5.2.0. I've just come across a security hole on
one of my sites with reparsing [perl] output in custom code. An example
looks something like this:
[perl] return $CGI->{email}?$CGI->{email}:$CGI->{mv_username} [/perl]
This allows users to run arbitrary ITL code just by submitting it in
their email address, since the output of the [perl] tag will be reparsed
by default. Of course the issue can be addressed by changing it to
[perl reparse=0] return $CGI->{email}?$CGI->{email}:$CGI->{mv_username}
[/perl]
My questions are:
1) This behavior seems very nonintuitive. What are the general best
practices in Interchange to avoid accidentally parsing user data?
2) Is there any global fix I can apply, along the lines of making
reparse default to 0 for perl blocks, or do I just have to revisit each
block?
Thanks,
Jack
More information about the interchange-users
mailing list