Forum OpenACS Development: eval, apply (lack of) safety

Hi,
<p>
I have noticed the use of eval and apply in some places in acs4.x My
question is if it's really safe to use them. If it hapens to be used
on some user input, then it's quite easy to throw in some malicious
code like 'hy there [exec rm -rf /] isn't it cool?' Unfortunately, as
I understand TCL eval mechanism, it will eval the string with the
usual TCL processing, which includes substitution.
<p>
I am thinking that in might be safer to use some shallow_eval,
shallow_apply replacements, as in
<pre><code>
proc shallow_eval {func args} {
  set command $func
  foreach arg $args {
    append command " {$arg}"
  }
  eval $command
}
</code></pre>
The curly braces will prevent any substitution on the arguments, so
we may sleep well at night.
<p>
What do you think? Does this mechanism work and does it really solve
anything?
Collapse
Posted by Don Baccus on
Interesting.  There was an earlier security problem with "smuggled SQL", so we might as well call your hypothetical approach "smuggled Tcl".

Have you looked to see if eval is actually being used on user arguments?  If so, depending on the type it may or may not be dangerous, i.e. ad_page_contract does basic type checking so you shouldn't be able to smuggle in a Tcl command string where caller of the eval expects an integer.

Collapse
Posted by Michael A. Cleverly on
Your shallow_eval is the same as saying:
eval [list command ?args ...?]
which is what the ACS does on user supplied input.

Example in tclsh:

% set cmd {[df]}
[df]
% eval puts $cmd
Filesystem           1k-blocks      Used Available Use% Mounted on
/dev/sda1               132207     51228     74153  41% /
...
% shallow_eval puts $cmd
[df]
% eval [list puts $cmd]
[df]
I have grepped the ACS 4.1 sources and can't find an instance where eval is used on user supplied input without using eval [list ...]. (Which isn't to say there isn't one or more such cases lurking, just that I haven't found one yet. Have you seen any?)
Collapse
Posted by Cristian Petrescu-Prahova on
You are right. I don't think that there are any problems with the acs. I had some problems with my own attempt to use eval (i am writing a little parser for some wiki processing and i need to call actions). There are still some subtle points I don't quite get with tcl and eval. For instance:

% eval set test "[expr 1 + 2]"
3
% proc eval_test {func args} {
    set cmd [concat [list $func] $args]
    puts $cmd
    uplevel $cmd
  }
% eval_test set test "[expr 1 + 2]"
set test {[expr 1 + 2]}
[expr 1 + 2]
So eval_test is not equivalent with eval, as you already mentioned.

The only place where eval is used pervasively is in the cms, for instance all element calls goes through one eval. But it is used as in eval_test, so there are no problems.

Anyway, thanks for the explanations.

Cristi