Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!]

This WebDNA talk-list message is from

2011


It keeps the original formatting.
numero = 107135
interpreted = N
texte = below > Govinda wrote: > [snip] >> [!]--- START: to plug up the security hole of when URL hacker passes = a >> webdna context name as a formvar---[/!][snip] >=20 >=20 > Hi Govinda, that looks like a good solution. BTW, it was someone else's original solution/code.. that I just pasted. =20= (more below) > Since passing the "!" was causing a hang (though at least it isn't = parsing anymore), I tried some other things and came up with something = that still doesn't work for the "!", but is a bit shorter and perhaps = slightly less CPU costly. ** note: the t_commands var should all be one = line ** >=20 > ------------------------------------ > [formvariables name=3Dtext][redirect url=3Dindex.html][/formvariables] > = [text]t_commands=3D|[url]![/url]|addfields|addlineitem|append|appendfile|a= pplescript|arrayget|arrayset|authenticate|boldwords|browsername|calcfilecr= c32|capitalize|cart|case|clearlineitems|closedatabase|command|commitdataba= se|convertchars|convertwords|copyfile|copyfolder|countchars|countwords|cre= atefolder|date|ddeconnect|ddesend|decrypt|delete|deletefile|deletefolder|d= os|elapsedtime|else|encrypt|exclusivelock|filecompare|fileinfo|findstring|= flushcache|flushdatabases|format|format|formvariables|founditems|freememor= y|function|getchars|getcookie|getmimeheader|grep|hideif|html1|html2|html3|= httpmethod|if|include|input|interpret|ipaddress|issecureclient|lastautonum= ner|lastrandom|lineitems|listchars|listcookies|listdatabases|listfields|li= stfiles|listmimeheaders|listpath|listvariables|listwords|lookup|lookup|loo= p|lowercase|math|middle|movefile|object|orderfile|password|platform|produc= t|protect|purchase|random|raw|redirect|referrer|removehtml|removelineitem|= replace|replacefounditems|retu > = rn|returnraw|scope|search|sendmail|setcookie|setheader|setlineitem|setmime= header|shell|showif|shownext|spawn|sql|sql|sqlconnect|sqldisconnect|sqlexe= cute|sqlinfo|sqlrelease|sqlresult|switch|table|tcpconnect|tcpsend|then|thi= surl|time|unurl|uppercase|url|username|validcard|version|waitforfile|write= file|xmlnode|xmlnodes|xmlnodesattributes|xmlparse|xsl|xslt|[/text] > [formvariables] > [showif [t_commands]^|[url][name][/url]|] > [redirect url=3Dindex.html] > [/showif] > [/formvariables] > ------------------------------------ >=20 >=20 > If anyone comes up with a solution for "!" I'd be interested. I think I am confused a little by what I am seeing. (and maybe so = were/are you Donovan?) First question I have is that I want to confirm that the issue you have = with the "!" is the same as me (?) -=20 ..that seemingly regardless of what I try... I cannot get the = (pre-parse) script to redirect in case the user sticks "...&!=3Dabc..." = in the URL. Odd. And odd that I never noticed that before (I thought I = would have tested that one since it is one of the THE most unpleasant = scenarios ;-) ... causing commented out code to fire). Anyway is that = what you also meant when you inferred that "!" behaved differently.. and = unexpectedly? I am also wanting to know if anyone can successfully = detect in case of any formvar (get or post) named "!".. and so then in = that case - cause deliberate code to fire. I thought that perhaps the issue with "!" in the script I posted earlier = was because of all the instances of [!] in the script.. (used to remove = whitespace from that pre-parse script). (I assume this is what you = meant Tom? ..when you said, "...Maybe the fact that Govinda is wrapping = each line with WebDNA comment tags is causing the issue?")=20 Anyway so then I thought to try this: [formvariables name=3D!][redirect = http://www.blisscode.com][/formvariables][!] [/!][!]--- START: to plug up the security hole of when URL hacker passes = a webdna context name as a formvar---[/!][!] [/!][!] [/!][formvariables name=3Daddfields][redirect /][/formvariables][!] [/!][formvariables name=3Daddlineitem][redirect /][/formvariables][!] [/!][formvariables name=3Dappend][redirect /][/formvariables][!] [/!][formvariables name=3Dappendfile][redirect /][/formvariables][!] [/!][formvariables name=3Dapplescript][redirect /][/formvariables][!] [/!][formvariables name=3Darrayget][redirect /][/formvariables][!] [/!][formvariables name=3Darrayset][redirect /][/formvariables][!] [/!][formvariables name=3Dauthenticate][redirect /][/formvariables][!] [/!][formvariables name=3Dboldwords][redirect /][/formvariables][!] [/!][formvariables name=3Dbrowsername][redirect /][/formvariables][!] [/!][formvariables name=3Dcalcfilecrc32][redirect = /][/formvariables][snip...] ...and then I also tried like Tom says he does: [formvariables name=3D!][redirect /][/formvariables][formvariables = name=3Daddfields][redirect /][/formvariables][formvariables = name=3Daddlineitem][redirect /][/formvariables][formvariables = name=3Dappend][redirect /][/formvariables][formvariables = name=3Dappendfile][redirect /][/formvariables][formvariables = name=3Dapplescript][redirect /][/formvariables] [formvariables = name=3Darrayget][redirect /][/formvariables][snip...] ..and in BOTH cases.. everything works as expected, *EXCEPT* when I pass = "...&!=3Dabc..." in the URL, then I get this (instead of a redirect): " Forbidden You don't have permission to access myTest.tpl on this server. Apache Server at mydomain.com Port 80 " (..where you just get a hang, Donovan?) Does anyone know a way we can detect the case of an attempted formvar = named "!" ? Thanks, -Govinda= Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!] (Kenneth Grome 2011)
  2. Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!] (Govinda 2011)
  3. Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!] (Kenneth Grome 2011)
  4. Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!] (Govinda 2011)
  5. Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!] (Kenneth Grome 2011)
  6. Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!] (Govinda 2011)
  7. Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!] (Govinda 2011)
  8. Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!] (Kenneth Grome 2011)
  9. Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!] (Govinda 2011)
  10. Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!] (Kenneth Grome 2011)
  11. Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!] (Kenneth Grome 2011)
  12. Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!] (Kenneth Grome 2011)
below > Govinda wrote: > [snip] >> [!]--- START: to plug up the security hole of when URL hacker passes = a >> webdna context name as a formvar---[/!][snip] >=20 >=20 > Hi Govinda, that looks like a good solution. BTW, it was someone else's original solution/code.. that I just pasted. =20= (more below) > Since passing the "!" was causing a hang (though at least it isn't = parsing anymore), I tried some other things and came up with something = that still doesn't work for the "!", but is a bit shorter and perhaps = slightly less CPU costly. ** note: the t_commands var should all be one = line ** >=20 > ------------------------------------ > [formvariables name=3Dtext][redirect url=3Dindex.html][/formvariables] > = [text]t_commands=3D|[url]![/url]|addfields|addlineitem|append|appendfile|a= pplescript|arrayget|arrayset|authenticate|boldwords|browsername|calcfilecr= c32|capitalize|cart|case|clearlineitems|closedatabase|command|commitdataba= se|convertchars|convertwords|copyfile|copyfolder|countchars|countwords|cre= atefolder|date|ddeconnect|ddesend|decrypt|delete|deletefile|deletefolder|d= os|elapsedtime|else|encrypt|exclusivelock|filecompare|fileinfo|findstring|= flushcache|flushdatabases|format|format|formvariables|founditems|freememor= y|function|getchars|getcookie|getmimeheader|grep|hideif|html1|html2|html3|= httpmethod|if|include|input|interpret|ipaddress|issecureclient|lastautonum= ner|lastrandom|lineitems|listchars|listcookies|listdatabases|listfields|li= stfiles|listmimeheaders|listpath|listvariables|listwords|lookup|lookup|loo= p|lowercase|math|middle|movefile|object|orderfile|password|platform|produc= t|protect|purchase|random|raw|redirect|referrer|removehtml|removelineitem|= replace|replacefounditems|retu > = rn|returnraw|scope|search|sendmail|setcookie|setheader|setlineitem|setmime= header|shell|showif|shownext|spawn|sql|sql|sqlconnect|sqldisconnect|sqlexe= cute|sqlinfo|sqlrelease|sqlresult|switch|table|tcpconnect|tcpsend|then|thi= surl|time|unurl|uppercase|url|username|validcard|version|waitforfile|write= file|xmlnode|xmlnodes|xmlnodesattributes|xmlparse|xsl|xslt|[/text] > [formvariables] > [showif [t_commands]^|[url][name][/url]|] > [redirect url=3Dindex.html] > [/showif] > [/formvariables] > ------------------------------------ >=20 >=20 > If anyone comes up with a solution for "!" I'd be interested. I think I am confused a little by what I am seeing. (and maybe so = were/are you Donovan?) First question I have is that I want to confirm that the issue you have = with the "!" is the same as me (?) -=20 ..that seemingly regardless of what I try... I cannot get the = (pre-parse) script to redirect in case the user sticks "...&!=3Dabc..." = in the URL. Odd. And odd that I never noticed that before (I thought I = would have tested that one since it is one of the THE most unpleasant = scenarios ;-) ... causing commented out code to fire). Anyway is that = what you also meant when you inferred that "!" behaved differently.. and = unexpectedly? I am also wanting to know if anyone can successfully = detect in case of any formvar (get or post) named "!".. and so then in = that case - cause deliberate code to fire. I thought that perhaps the issue with "!" in the script I posted earlier = was because of all the instances of [!] in the script.. (used to remove = whitespace from that pre-parse script). (I assume this is what you = meant Tom? ..when you said, "...Maybe the fact that Govinda is wrapping = each line with WebDNA comment tags is causing the issue?")=20 Anyway so then I thought to try this: [formvariables name=3D!][redirect = http://www.blisscode.com][/formvariables][!] [/!][!]--- START: to plug up the security hole of when URL hacker passes = a webdna context name as a formvar---[/!][!] [/!][!] [/!][formvariables name=3Daddfields][redirect /][/formvariables][!] [/!][formvariables name=3Daddlineitem][redirect /][/formvariables][!] [/!][formvariables name=3Dappend][redirect /][/formvariables][!] [/!][formvariables name=3Dappendfile][redirect /][/formvariables][!] [/!][formvariables name=3Dapplescript][redirect /][/formvariables][!] [/!][formvariables name=3Darrayget][redirect /][/formvariables][!] [/!][formvariables name=3Darrayset][redirect /][/formvariables][!] [/!][formvariables name=3Dauthenticate][redirect /][/formvariables][!] [/!][formvariables name=3Dboldwords][redirect /][/formvariables][!] [/!][formvariables name=3Dbrowsername][redirect /][/formvariables][!] [/!][formvariables name=3Dcalcfilecrc32][redirect = /][/formvariables][snip...] ...and then I also tried like Tom says he does: [formvariables name=3D!][redirect /][/formvariables][formvariables = name=3Daddfields][redirect /][/formvariables][formvariables = name=3Daddlineitem][redirect /][/formvariables][formvariables = name=3Dappend][redirect /][/formvariables][formvariables = name=3Dappendfile][redirect /][/formvariables][formvariables = name=3Dapplescript][redirect /][/formvariables] [formvariables = name=3Darrayget][redirect /][/formvariables][snip...] ..and in BOTH cases.. everything works as expected, *EXCEPT* when I pass = "...&!=3Dabc..." in the URL, then I get this (instead of a redirect): " Forbidden You don't have permission to access myTest.tpl on this server. Apache Server at mydomain.com Port 80 " (..where you just get a hang, Donovan?) Does anyone know a way we can detect the case of an attempted formvar = named "!" ? Thanks, -Govinda= Govinda

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Date search bug (1998) WebCat 5 Intranet Question (2003) Works! (1997) can WC render sites out? (1997) UnitShopCost (2007) possible, WebCat2.0 and checkboxes-restated (1997) Writing to disk (1999) Anyone done or can point to RMS (2004) ShowNext for method=POST (1997) Bug or syntax error on my part? (1997) Help name our technology! (1997) Blocking form spam (2006) Same Database needed on two machines (2002) emailer w/F2 (1997) form data submission gets truncated (1997) [SHOWIF]s and empty arguments (1997) ReadDateFormat (1998) listfiles-looking for slick solution (1997) Email within tmpl ? (1997) [WebDNA] Count Lines (2011)