[ic] [loop-code] interpolation = security risk?

Jon Jensen jon at endpoint.com
Thu Oct 23 00:32:10 UTC 2014


On Wed, 22 Oct 2014, Grant wrote:

> I see that cgi.coretag escapes "[".  Do you remember where else this is 
> done?

No, but it's in the core in several places IIRC.

> It's also worth mentioning that I can't figure out what line 2 here 
> accomplishes (from cgi.coretag):
>
> # Eliminate any Interchange tags
> $value =~ s~<([A-Za-z]*[^>]*\s+[Mm][Vv]\s*=\s*)~<$1~g;

Do you mean ^ that line? I believe covers MVASP tags, an ancient and 
rarely-used MiniVend alternative tag method. Mike Heins would probably 
remember better than I do, though.

> Any kind of a wrapper for IC5 available or planned?

Not that I know of. Part of the reason for moving from IC5 to IC6 is that 
IC5 is a big monolith that is very hard to take only part of, and the 
whole thing is its own world.

> Is porting basically a rewrite?

Yes, though the more Perl you've used in IC5, the easier it'll be to bring 
that logic over.

Jon


-- 
Jon Jensen
End Point Corporation
https://www.endpoint.com/



More information about the interchange-users mailing list