FIXED: Variable expansion security vulnerability in acs-templating
A problem in acs-templating procedure template::expand_percentage_signs where a user inputted string containing a variable name such as "$varname" would be evaluated if the user input was included in a variable reference in a localization message key.
An example message key from the search package.
<msg key="lt_No_pages_were_found_c">No pages were found containing "<b>%query%</b>".</msg>
If the user enetered search query contained $varname the template::expand_percentage_signs procedure would evalaute the value of the $query variable thorugh [subst] which would result in the replacement of the $varname with a variables value if the variable existed, otherwise a server error for a missing variable would be returned.
See bug#2691 http://openacs.org/bugtracker/openacs/bug?bug%5fnumber=2691
A patch is available http://openacs.org/bugtracker/openacs/patch?patch_number=744
This patch should apply on any 5.x version of OpenACS. A new version of acs-templating is available for install form the repository as well.
Contributed by Dave Bauer