Forum OpenACS Development: FIXED: Variable expansion security vulnerability in acs-templating

A problem in acs-templating procedure template::expand_percentage_signs where a user inputted string containing a variable name such as "$varname" would be evaluated if the user input was included in a variable reference in a localization message key.

An example message key from the search package.

<msg key="lt_No_pages_were_found_c">No pages were found containing "<b>%query%</b>".</msg>

If the user enetered search query contained $varname the template::expand_percentage_signs procedure would evalaute the value of the $query variable thorugh [subst] which would result in the replacement of the $varname with a variables value if the variable existed, otherwise a server error for a missing variable would be returned.

See bug#2691 https://openacs.org/bugtracker/openacs/bug?bug%5fnumber=2691

A patch is available https://openacs.org/bugtracker/openacs/patch?patch_number=744

This patch should apply on any 5.x version of OpenACS. A new version of acs-templating is available for install form the repository as well.