FIXED: Variable expansion security vulnerability in acs-templating

A problem in acs-templating procedure template::expand_percentage_signs where a user inputted string containing a variable name such as "$varname" would be evaluated if the user input was included in a variable reference in a localization message key.

An example message key from the search package.

<msg key="lt_No_pages_were_found_c">No pages were found containing &quot;&lt;b&gt;%query%&lt;/b&gt;&quot;.</msg>

If the user enetered search query contained $varname the template::expand_percentage_signs procedure would evalaute the value of the $query variable thorugh [subst] which would result in the replacement of the $varname with a variables value if the variable existed, otherwise a server error for a missing variable would be returned.

See bug#2691

A patch is available

This patch should apply on any 5.x version of OpenACS. A new version of acs-templating is available for install form the repository as well.

Contributed by Dave Bauer