Forum OpenACS Q&A: Re: Security hole in ad_form (may change behavior of ad_form to fix!)

Collapse
16: Re: Security hole in ad_form (may change behavior of ad_form to fix!) (response to 1)
Posted by Jerry Asher on 10/23/03 10:06 AM
Congrats Jade, and then a plea...

Can someone explain this in terms us mortals might understand?

What does it really take to allow a user to break ad_form?

If for instance, I display their name in a form, is there anyway that there claiming to be "Joe [rm -rf /] Random" will get executed?

Collapse
17: Re: Security hole in ad_form (may change behavior of ad_form to fix!) (response to 16)
Posted by Jade Rubick on 10/23/03 09:24 PM
I don't really understand what Lars' changes are, but prior to the bug-fix -- yes, this is exactly what would happen: you would delete your hard disk, say, when you look at a form that lists all the users in a select list using ad_form.