util::potentially_unsafe_eval_p (public)

 util::potentially_unsafe_eval_p [ -warn ] string

Defined in packages/acs-tcl/tcl/utilities-procs.tcl

Check content of the string to identify potentially unsafe content in the provided string. The content is unsafe, when it contains externally provided content, which might be provided e.g. via query variables, or via user values stored in the database. When such content contains square braces, a "subst" command on it can evaluate arbitrary commands, which is dangerous.

Switches:
-warn (optional, boolean)
Parameters:
string (required)

Partial Call Graph (max 5 caller/called nodes):
%3 ad_log ad_log (public) util::potentially_unsafe_eval_p util::potentially_unsafe_eval_p util::potentially_unsafe_eval_p->ad_log

Testcases:
No testcase defined.
Source code:
    #ns_log notice "util::potentially_unsafe_eval_p '$string'"
    set unsafe_p 0
    set original_string $string
    while {1} {
        set p [string first \[ $string ]
        if {$p > 0} {
            set previous_char [string range $string $p-1 $p-1]
            set string [string range $string $p+1 end]
            if {$previous_char eq "\\"} {
                continue
            }
        }
        #ns_log notice "util::potentially_unsafe_eval_p '$string' $p"
        if {$p < 0 || [string length $string] < 2} {
            break
        }
        set unsafe_p 1
        if {$warn_p} {
            ad_log warning "potentially unsafe eval on '$original_string'"
        }
        break
    }
    #ns_log notice "util::potentially_unsafe_eval_p '$string' ->  $unsafe_p"
    return $unsafe_p
XQL Not present:
PostgreSQL, Oracle
Generic XQL file:
packages/acs-tcl/tcl/utilities-procs.xql

[ hide source ] | [ make this the default ]
Show another procedure: