Forum OpenACS Q&A: Re: Security hole in ad_form (may change behavior of ad_form to fix!)

Collapse
9: Re: Security hole in ad_form (may change behavior of ad_form to fix!) (response to 8)
Posted by Tom Jackson on 10/14/03 10:39 PM

Users should never be allowed to execute any code at random points like this. But if Lars' suggestion works, it is simple enough, even if ugly. There is no way to enforce users to do it that way, and I bet this is something that will keep slipping through. I don't think it is a disaster because there are probably very few users that would want to exploit the problem.

What we really need is a detailed account of the extent of the problem and how and why to correct it in one way or another. At the moment, it isn't even apparent that the problem is in ad_form, and Lars' solution indicates it isn't.

Collapse
10: Re: Security hole in ad_form (may change behavior of ad_form to fix!) (response to 9)
Posted by bill kellerman on 10/14/03 11:42 PM
i'm also trying to understand ad_form...

how does ad_form know which data being passed is a user string not to be interpreted, developer data not to be interpreted, and developer data *to be* interpreted?

in the news instance, is it ad_form's job to know not to interpret "[open|closed]", or is should it be escaped before it ever gets there?

Collapse
11: Re: Security hole in ad_form (may change behavior of ad_form to fix!) (response to 10)
Posted by Tom Jackson on 10/15/03 12:02 AM

Well subst is being called for a purpose. The question seems to be if ad_form is being fed the correct information. ad_form cannot know, and should not care where the string came from. At least that is what I am guessing.