Forum OpenACS Improvement Proposals (TIPs): Re: TIP #14 (Proposed): Making templates safe by removing tcl tag.

I suspect removing the tcl tag (or making it suppressible via a state variable on <include> for example) would still leave plenty of holes where you could potentially execute commands. I would not really be comfortable allowing user uploaded templates on any system I was responsible for until we had gone through quite carefully to make sure all the other tags did not allow code execution via other back doors.

I think the include tag might be an issue too since you can pass arbitrary variables to tcl scripts and bypass permissioning.

The more general idea of making it possible to safely execute user uploaded templates is an excellent idea and something I am completely in favour of (and I hate the embeded tcl code generally anyway).