Op Wed, 26 Oct 2005, schreef Tom Jackson:
> On Tuesday 25 October 2005 17:32, Dossy Shiobara wrote: > > On 2005.10.25, Tom Jackson <[EMAIL PROTECTED]> wrote: > > > Hey, > > > Isn't running 'subst' on a user supplied variable (requested url) > > > dangerous? > > > > We assume that the data in $url has been sanitized upstream -- if it > > hasn't been, then we do have to worry about HTTP header splitting > > attacks. > > > > What we really need to do is add checks to make sure $url doesn't > > contain any "illegal characters" -- especially newlines. Ugh. > > Actually you can't do this, because a url can contain chars that are legal > for > a url, but dangerous to run 'subst' on. > All you need to do is to 'not run subst', it is only used to avoid the need > to > quote " in this particular case. > > For example: > ns_return 301 "text/html" "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML > 2.0//EN\"> > <HTML> > <HEAD> > <TITLE>Moved</TITLE> > </HEAD> > <BODY> > <H2>Moved</H2> > <A HREF=\"$url\">The requested URL has moved here.</A> > <P ALIGN=RIGHT><SMALL><I>[ns_info name]/[ns_info patchlevel] on [ns_conn > location]</I></SMALL></P> > </BODY></HTML> > " Just FYI, <A href='$url'> is just as valid HTML, but the single quote hasn't any special meaning in TCL, and thus doesn't need to be escaped. I use it in all my code. Daniël -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
