Forum OpenACS Q&A: Re: Security hole in ad_form (may change behavior of ad_form to fix!)

So what will work is this:

foreach ... {
    ad_form -extend -name my_form -form \
        [list [list $name:text [list label \$label]]]
}

Since we include the literal string $label in the argument to ad_form, thanks to the backslash, the "$label" string will get subst'ed by ad_form, cauing the result to safely and reliably be what we want it to.

Sounds like something we need to document.

/Lars

Refering to Lars example, why not

[list [list \$name:text [list label \$label]]]

How is someone gonna remember when and where to use backslashes?

Don: subst couldn't be the same as set? Subst is dangerous on any user supplied code, and even the switches -nocommands -novariables -nobackslashes have limited effect on user supplied strings, unless you use all three. Examples:

subst -nocommands $a([exec rm -f *]) ;# still exec
subst -novariables a[myproc $a]b ;# still sets $a

So either subst is required, or it isn't. I think any fix should be heavily tested to ensure it does what is expected and doesn't allow arbitrary execution of code. Another option is to escape tcl code in passed in strings. Someone will eventually forget to do this and security problems will still exist. Anyway the solution needs to ensure that arbitrary commands cannot be executed.