Forum OpenACS Q&A: Re: Security hole in ad_form (may change behavior of ad_form to fix!)

Refering to Lars example, why not

[list [list \$name:text [list label \$label]]]

How is someone gonna remember when and where to use backslashes?

Don: subst couldn't be the same as set? Subst is dangerous on any user supplied code, and even the switches -nocommands -novariables -nobackslashes have limited effect on user supplied strings, unless you use all three. Examples:

subst -nocommands $a([exec rm -f *]) ;# still exec
subst -novariables a[myproc $a]b ;# still sets $a

So either subst is required, or it isn't. I think any fix should be heavily tested to ensure it does what is expected and doesn't allow arbitrary execution of code. Another option is to escape tcl code in passed in strings. Someone will eventually forget to do this and security problems will still exist. Anyway the solution needs to ensure that arbitrary commands cannot be executed.