Forum OpenACS Q&A: Re: FIXED: Variable expansion security vulnerability in acs-templating

I think the patch has a little bug in it. It seems like it's been corrected in CVS, but in case someone else follows this thread and tries to apply the patch directly...
>       if { [regexp {^%([a-zA-Z0-9_]+)\.([a-zA-Z0-9_]+)%$} $substitution match arr key] } {
>         # the array key name is substitured by the tcl parser s
>         regsub -all {[\]\[\{\}\"]\\$} $key {\\&} key      
>         set command "set ${var}(${key})"
At this point, there's no variable named var. It should be arr, so:
>         set command "set ${arr}(${key})"