Hi!
We have replaced _all_ util_memoize commands with double quotes:
- return [util_memoize "package_object_view_helper -start_with $start_with $object_type"]
with a version with "list":
- return [util_memoize [list package_object_view_helper -start_with $start_with $object_type]]
in the entire code of ]project-open[. Why?
It's like SQL injection, somebody could fiddle with $start_with or $object_type and replace object_type for example with:
- "acs_object; ad_user_login 123; return """
and therefore gain system administrator rights.
This is like colon vs. dollar variables in SQLs. They are also not strictly necessary if all ad_page_contracts are well designed.
The issue came up in a very intensive security audit. These guys just found one of these cases in the "/admin" folder of one package, so there is no impact (the Admin can do everything anyway...). But it was still a nice wake-up call.
The OpenACS Core contains some 20 or so of unsafe util_memoize calls, so it's not much work to find and fix.
Cheers!
Frank