Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!]
This WebDNA talk-list message is from 2011
It keeps the original formatting.
numero = 107135
interpreted = N
texte = below> Govinda wrote:> [snip]>> [!]--- START: to plug up the security hole of when URL hacker passes =a>> webdna context name as a formvar---[/!][snip]>=20>=20> Hi Govinda, that looks like a good solution.BTW, it was someone else's original solution/code.. that I just pasted. =20=(more below)> Since passing the "!" was causing a hang (though at least it isn't =parsing anymore), I tried some other things and came up with something =that still doesn't work for the "!", but is a bit shorter and perhaps =slightly less CPU costly. ** note: the t_commands var should all be one =line **>=20> ------------------------------------> [formvariables name=3Dtext][redirect url=3Dindex.html][/formvariables]> =[text]t_commands=3D|[url]![/url]|addfields|addlineitem|append|appendfile|a=pplescript|arrayget|arrayset|authenticate|boldwords|browsername|calcfilecr=c32|capitalize|cart|case|clearlineitems|closedatabase|command|commitdataba=se|convertchars|convertwords|copyfile|copyfolder|countchars|countwords|cre=atefolder|date|ddeconnect|ddesend|decrypt|delete|deletefile|deletefolder|d=os|elapsedtime|else|encrypt|exclusivelock|filecompare|fileinfo|findstring|=flushcache|flushdatabases|format|format|formvariables|founditems|freememor=y|function|getchars|getcookie|getmimeheader|grep|hideif|html1|html2|html3|=httpmethod|if|include|input|interpret|ipaddress|issecureclient|lastautonum=ner|lastrandom|lineitems|listchars|listcookies|listdatabases|listfields|li=stfiles|listmimeheaders|listpath|listvariables|listwords|lookup|lookup|loo=p|lowercase|math|middle|movefile|object|orderfile|password|platform|produc=t|protect|purchase|random|raw|redirect|referrer|removehtml|removelineitem|=replace|replacefounditems|retu> =rn|returnraw|scope|search|sendmail|setcookie|setheader|setlineitem|setmime=header|shell|showif|shownext|spawn|sql|sql|sqlconnect|sqldisconnect|sqlexe=cute|sqlinfo|sqlrelease|sqlresult|switch|table|tcpconnect|tcpsend|then|thi=surl|time|unurl|uppercase|url|username|validcard|version|waitforfile|write=file|xmlnode|xmlnodes|xmlnodesattributes|xmlparse|xsl|xslt|[/text]> [formvariables]> [showif [t_commands]^|[url][name][/url]|]> [redirect url=3Dindex.html]> [/showif]> [/formvariables]> ------------------------------------>=20>=20> If anyone comes up with a solution for "!" I'd be interested.I think I am confused a little by what I am seeing. (and maybe so =were/are you Donovan?)First question I have is that I want to confirm that the issue you have =with the "!" is the same as me (?) -=20..that seemingly regardless of what I try... I cannot get the =(pre-parse) script to redirect in case the user sticks "...&!=3Dabc..." =in the URL. Odd. And odd that I never noticed that before (I thought I =would have tested that one since it is one of the THE most unpleasant =scenarios ;-) ... causing commented out code to fire). Anyway is that =what you also meant when you inferred that "!" behaved differently.. and =unexpectedly? I am also wanting to know if anyone can successfully =detect in case of any formvar (get or post) named "!".. and so then in =that case - cause deliberate code to fire.I thought that perhaps the issue with "!" in the script I posted earlier =was because of all the instances of [!] in the script.. (used to remove =whitespace from that pre-parse script). (I assume this is what you =meant Tom? ..when you said, "...Maybe the fact that Govinda is wrapping =each line with WebDNA comment tags is causing the issue?")=20Anyway so then I thought to try this:[formvariables name=3D!][redirect =http://www.blisscode.com][/formvariables][!][/!][!]--- START: to plug up the security hole of when URL hacker passes =a webdna context name as a formvar---[/!][!][/!][!][/!][formvariables name=3Daddfields][redirect /][/formvariables][!][/!][formvariables name=3Daddlineitem][redirect /][/formvariables][!][/!][formvariables name=3Dappend][redirect /][/formvariables][!][/!][formvariables name=3Dappendfile][redirect /][/formvariables][!][/!][formvariables name=3Dapplescript][redirect /][/formvariables][!][/!][formvariables name=3Darrayget][redirect /][/formvariables][!][/!][formvariables name=3Darrayset][redirect /][/formvariables][!][/!][formvariables name=3Dauthenticate][redirect /][/formvariables][!][/!][formvariables name=3Dboldwords][redirect /][/formvariables][!][/!][formvariables name=3Dbrowsername][redirect /][/formvariables][!][/!][formvariables name=3Dcalcfilecrc32][redirect =/][/formvariables][snip...]...and then I also tried like Tom says he does:[formvariables name=3D!][redirect /][/formvariables][formvariables =name=3Daddfields][redirect /][/formvariables][formvariables =name=3Daddlineitem][redirect /][/formvariables][formvariables =name=3Dappend][redirect /][/formvariables][formvariables =name=3Dappendfile][redirect /][/formvariables][formvariables =name=3Dapplescript][redirect /][/formvariables] [formvariables =name=3Darrayget][redirect /][/formvariables][snip...]..and in BOTH cases.. everything works as expected, *EXCEPT* when I pass ="...&!=3Dabc..." in the URL, then I get this (instead of a redirect):"ForbiddenYou don't have permission to access myTest.tpl on this server.Apache Server at mydomain.com Port 80"(..where you just get a hang, Donovan?)Does anyone know a way we can detect the case of an attempted formvar =named "!" ?Thanks,-Govinda=
Associated Messages, from the most recent to the oldest:
|
- Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!] (Kenneth Grome 2011)
- Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!] (Govinda 2011)
- Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!] (Kenneth Grome 2011)
- Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!] (Govinda 2011)
- Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!] (Kenneth Grome 2011)
- Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!] (Govinda 2011)
- Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!] (Govinda 2011)
- Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!] (Kenneth Grome 2011)
- Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!] (Govinda 2011)
- Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!] (Kenneth Grome 2011)
- Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!] (Kenneth Grome 2011)
- Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!] (Kenneth Grome 2011)
|
below> Govinda wrote:> [snip]>>
[!]--- START: to plug up the security hole of when URL hacker passes =a>> webdna context name as a formvar---[/!][snip]>=20>=20> Hi Govinda, that looks like a good solution.BTW, it was someone else's original solution/code.. that I just pasted. =20=(more below)> Since passing the "!" was causing a hang (though at least it isn't =parsing anymore), I tried some other things and came up with something =that still doesn't work for the "!", but is a bit shorter and perhaps =slightly less CPU costly. ** note: the t_commands var should all be one =line **>=20> ------------------------------------> [formvariables name=3Dtext][redirect url=3Dindex.html][/formvariables]> =
[text]t_commands=3D|
[url]![/url]|addfields|addlineitem|append|appendfile|a=pplescript|arrayget|arrayset|authenticate|boldwords|browsername|calcfilecr=c32|capitalize|cart|case|clearlineitems|closedatabase|command|commitdataba=se|convertchars|convertwords|copyfile|copyfolder|countchars|countwords|cre=atefolder|date|ddeconnect|ddesend|decrypt|delete|deletefile|deletefolder|d=os|elapsedtime|else|encrypt|exclusivelock|filecompare|fileinfo|findstring|=flushcache|flushdatabases|format|format|formvariables|founditems|freememor=y|function|getchars|getcookie|getmimeheader|grep|hideif|html1|html2|html3|=httpmethod|if|include|input|interpret|ipaddress|issecureclient|lastautonum=ner|lastrandom|lineitems|listchars|listcookies|listdatabases|listfields|li=stfiles|listmimeheaders|listpath|listvariables|listwords|lookup|lookup|loo=p|lowercase|math|middle|movefile|object|orderfile|password|platform|produc=t|protect|purchase|random|raw|redirect|referrer|removehtml|removelineitem|=replace|replacefounditems|retu> =rn|returnraw|scope|search|sendmail|setcookie|setheader|setlineitem|setmime=header|shell|showif|shownext|spawn|sql|sql|sqlconnect|sqldisconnect|sqlexe=cute|sqlinfo|sqlrelease|sqlresult|switch|table|tcpconnect|tcpsend|then|thi=surl|time|unurl|uppercase|url|username|validcard|version|waitforfile|write=file|xmlnode|xmlnodes|xmlnodesattributes|xmlparse|xsl|xslt|[/text]>
[formvariables]> [showif [t_commands]^|
[url][name][/url]|]> [redirect url=3Dindex.html]> [/showif]> [/formvariables]> ------------------------------------>=20>=20> If anyone comes up with a solution for "!" I'd be interested.I think I am confused a little by what I am seeing. (and maybe so =were/are you Donovan?)First question I have is that I want to confirm that the issue you have =with the "!" is the same as me (?) -=20..that seemingly regardless of what I try... I cannot get the =(pre-parse) script to redirect in case the user sticks "...&!=3Dabc..." =in the URL. Odd. And odd that I never noticed that before (I thought I =would have tested that one since it is one of the THE most unpleasant =scenarios ;-) ... causing commented out code to fire). Anyway is that =what you also meant when you inferred that "!" behaved differently.. and =unexpectedly? I am also wanting to know if anyone can successfully =detect in case of any formvar (get or post) named "!".. and so then in =that case - cause deliberate code to fire.I thought that perhaps the issue with "!" in the script I posted earlier =was because of all the instances of
[!] in the script.. (used to remove =whitespace from that pre-parse script). (I assume this is what you =meant Tom? ..when you said, "...Maybe the fact that Govinda is wrapping =each line with WebDNA comment tags is causing the issue?")=20Anyway so then I thought to try this:[formvariables name=3D!][redirect =http://www.blisscode.com][/formvariables]
[!][/!]
[!]--- START: to plug up the security hole of when URL hacker passes =a webdna context name as a formvar---[/!]
[!][/!]
[!][/!][formvariables name=3Daddfields][redirect /][/formvariables]
[!][/!][formvariables name=3Daddlineitem][redirect /][/formvariables]
[!][/!][formvariables name=3Dappend][redirect /][/formvariables]
[!][/!][formvariables name=3Dappendfile][redirect /][/formvariables]
[!][/!][formvariables name=3Dapplescript][redirect /][/formvariables]
[!][/!][formvariables name=3Darrayget][redirect /][/formvariables]
[!][/!][formvariables name=3Darrayset][redirect /][/formvariables]
[!][/!][formvariables name=3Dauthenticate][redirect /][/formvariables]
[!][/!][formvariables name=3Dboldwords][redirect /][/formvariables]
[!][/!][formvariables name=3Dbrowsername][redirect /][/formvariables]
[!][/!][formvariables name=3Dcalcfilecrc32][redirect =/][/formvariables][snip...]...and then I also tried like Tom says he does:[formvariables name=3D!][redirect /][/formvariables][formvariables =name=3Daddfields][redirect /][/formvariables][formvariables =name=3Daddlineitem][redirect /][/formvariables][formvariables =name=3Dappend][redirect /][/formvariables][formvariables =name=3Dappendfile][redirect /][/formvariables][formvariables =name=3Dapplescript][redirect /][/formvariables] [formvariables =name=3Darrayget][redirect /][/formvariables][snip...]..and in BOTH cases.. everything works as expected, *EXCEPT* when I pass ="...&!=3Dabc..." in the URL, then I get this (instead of a redirect):"ForbiddenYou don't have permission to access myTest.tpl on this server.Apache Server at mydomain.com Port 80"(..where you just get a hang, Donovan?)Does anyone know a way we can detect the case of an attempted formvar =named "!" ?Thanks,-Govinda=
Govinda
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
[URL] around a [sendmail] recipient? - SEARCHING: command vs. context (2000)
form data submission get (1997)
WebCommerce: Folder organization ? (1997)
Hiding URL ? (1998)
Sorting error (1997)
E-Mailer (WebCatb15acgiMac) (1997)
how to overwrite username and password in the browser? (2000)
A Sensible Suggestion. Was: Major problem (1999)
Claris HomePage messes up the code (1997)
Has anyone built this already? (2003)
Sorry WebDNA server not running ????? (2002)
[WebDNA] Ubuntu 14.04 & WebDNA (2017)
Error Type 3 (1999)
WCS Newbie question (1997)
Limit to Field Length in DB (1998)
Email within tmpl ? (1997)
Semi-OT: PanIP patent infringement case (2001)
WebCatalog/WebMerchant 2.1.1 (PC + Mac) Available (1998)
[WebDNA] variable name limit - clarification (2009)
referrer usage (1997)