Forum OpenACS Improvement Proposals (TIPs): TIP #14 (Rejected): Making templates safe by removing tcl tag.

Could templates be made safe by removing the tcl tag? This would seem to prevent designers from introducing code that isn't safe. The <% an <%= tags are first replaced by the tcl tag. If this tag could optionally return the empty string, based on configuration of the server, it might be safe to allow designers to provide their own templates without review.

Proposal it to add a config parameter to redefine the tcl tag.

Great idea.
Unfortunately chunks of .LRN depend on being able to insert Tcl code directly into a template .adp file - this will get cleaned up over time but isn't there yet.  This might include packages like forums that were originally written for .LRN but are part of the standard toolkit.
I think we want to clean this up for a future version 5.1, perhaps. In general I think if you have something that is impossible with the existing adp tags, creating a new tag is a better alternative to tcl code in the templates.
I don't understand this. <% %> is implemented somewhere in aolserver, no? Can we disable it at all? I guess the <tcl> tag is defined in openacs and could easily be made deactivatable, but if <% %> is still possible what would be the point?

If it's possible to deactivate both then I support it. What default value for a new install do you suggest (I tend towards tcl within adp deactivated by default - would have to be introduced early for 5.1 though so that there is time to clean up dotrln etc.).

The preprocessor for the templating system replaces <% with <tcl>, so you just need to disable the <tcl> tag in the templatng system.

As others have pointed out, some packages still rely on this tag and inline tcl, so you could never, and probably should never, remove it completely. An individual install could easily disable it anyway.

One additional note: the ATS is very good a separating application logic from display logic. I would say it is one of the best systems available, if not the best. Removal of the tcl tag may make it safe to allow users to upload their own templates for pages.

Approve (for 5.1)
I suspect removing the tcl tag (or making it suppressible via a state variable on <include> for example) would still leave plenty of holes where you could potentially execute commands. I would not really be comfortable allowing user uploaded templates on any system I was responsible for until we had gone through quite carefully to make sure all the other tags did not allow code execution via other back doors.

I think the include tag might be an issue too since you can pass arbitrary variables to tcl scripts and bypass permissioning.

The more general idea of making it possible to safely execute user uploaded templates is an excellent idea and something I am completely in favour of (and I hate the embeded tcl code generally anyway).