check_for_form_variable_naughtiness (public, deprecated)

 check_for_form_variable_naughtiness name value

Defined in packages/acs-tcl/tcl/deprecated-procs.tcl

Deprecated. Invoking this procedure generates a warning.

stuff to process the data that comes back from the users if the form looked like <input type=text name=yow> and <input type=text name=bar> then after you run this function you'll have Tcl vars $foo and $bar set to whatever the user typed in the form

this uses the initially nauseating but ultimately delicious Tcl system function "uplevel" that lets a subroutine bash the environment and local vars of its caller. It ain't Common Lisp...

This is an ad-hoc check to make sure users aren't trying to pass in "naughty" form variables in an effort to hack the database by passing in SQL. It is called in all instances where a Tcl variable is set from a form variable.

Checks the given variable for against known form variable exploits. If it finds anything objectionable, it throws an error.

Parameters:
name (required)
value (required)

Testcases:
No testcase defined.
Source code:
ad_log_deprecated proc check_for_form_variable_naughtiness
    # security patch contributed by michael@cleverly.com
    if { [string match "QQ*" $name] } {
        error "Form variables should never begin with QQ!"
    }

    # contributed by michael@cleverly.com
    if { "Vform_counter_i" eq $name } {
        error "Vform_counter_i not an allowed form variable"
    }

    # The statements below make ACS more secure, because it prevents
    # overwrite of variables from something like set_the_usual_form_variables
    # and it will be better if it was in the system. Yet, it is commented
    # out because it will cause an unstable release. To add this security
    # feature, we will need to go through all the code in the ACS and make
    # sure that the code doesn't try to overwrite intentionally and also
    # check to make sure that when Tcl files are sourced from another proc,
    # the appropriate variables are unset.  If you want to install this
    # security feature, then you can look in the release notes for more info.
    #
    # security patch contributed by michael@cleverly.com,
    # fixed by iwashima@arsdigita.com
    #
    # upvar 1 $name name_before
    # if { [info exists name_before] } {
    # The variable was set before the proc was called, and the
    # form attempts to overwrite it
    # error "Setting the variables from the form attempted to overwrite existing variable $name"
    # }

    # no naughtiness with uploaded files (discovered by ben@mit.edu)
    # patch by richardl@arsdigita.com, with no thanks to
    # jsc@arsdigita.com.
    if { [string match "*tmpfile" $name] } {
        set tmp_filename [ns_queryget $name]

        # ensure no .. in the path
        ns_normalizepath $tmp_filename

        set passed_check_p 0

        # check to make sure path is to an authorized directory
        set tmpdir_list [ad_parameter_all_values_as_list -package_id [ad_conn subsite_id] TmpDir]
        if { $tmpdir_list eq "" } {
            set tmpdir_list [list [ns_config ns/parameters tmpdir] "/var/tmp" "/tmp"]
        }

        foreach tmpdir $tmpdir_list {
            if { [string match "$tmpdir*" $tmp_filename] } {
                set passed_check_p 1
                break
            }
        }

        if { !$passed_check_p } {
            error "You specified a path to a file that is not allowed on the system!"
        }

    }

    # integrates with the ad_set_typed_form_variable_filter system
    # written by dvr@arsdigita.com

    # see if this is one of the typed variables
    global ad_typed_form_variables

    if { [info exists ad_typed_form_variables] } {

        foreach typed_var_spec $ad_typed_form_variables {
            set typed_var_name [lindex $typed_var_spec 0]

            if { ![string match $typed_var_name $name] } {
                # no match. Go to the next variable in the list
                continue
            }

            # the variable matched the pattern
            set typed_var_type [lindex $typed_var_spec 1]

            if { "" eq $typed_var_type } {
                # if they don't specify a type, the default is 'integer'
                set typed_var_type integer
            }

            set variable_safe_p [ad_var_type_check_${typed_var_type}_p $value]

            if { !$variable_safe_p } {
                ns_returnerror 500 "variable $name failed '$typed_var_type' type check"
                ns_log Error "check_for_form_variable_naughtiness: [ad_conn url] called with \$$name = $value"
                error "variable $name failed '$typed_var_type' type check"
                ad_script_abort
            }

            # we've found the first element in the list that matches,
            # and we don't want to check against any others
            break
        }
    }
XQL Not present:
PostgreSQL, Oracle
Generic XQL file:
packages/acs-tcl/tcl/deprecated-procs.xql

[ hide source ] | [ make this the default ]
Show another procedure: