Forum OpenACS Q&A: Response to TCL, Filters, Security

Posted by David Walker on
All of the string transformation is done before the string hits the request
processor so tricking the request processor is more difficult.

At this time AOLServer and OpenACS is not a big target for script kiddies
due to the fact that it doesn't have a big market share.

If an exploit does show up related to the request processor it should be easy
enough to add a filter to block it.  Probably 15 minutes work for an
experienced AOLServer/TCL/OpenACS programmer.

I'm not very familiar with the specifics of OpenACS 4's request processor so I
won't try to say whether it is safe or not.  From a quick look at it it appears
complex and any complex piece of code is more vulnerable to subtle errors or
unpredicted functionality.