Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!]

This WebDNA talk-list message is from

2011


It keeps the original formatting.
numero = 107135
interpreted = N
texte = below > Govinda wrote: > [snip] >> [!]--- START: to plug up the security hole of when URL hacker passes = a >> webdna context name as a formvar---[/!][snip] >=20 >=20 > Hi Govinda, that looks like a good solution. BTW, it was someone else's original solution/code.. that I just pasted. =20= (more below) > Since passing the "!" was causing a hang (though at least it isn't = parsing anymore), I tried some other things and came up with something = that still doesn't work for the "!", but is a bit shorter and perhaps = slightly less CPU costly. ** note: the t_commands var should all be one = line ** >=20 > ------------------------------------ > [formvariables name=3Dtext][redirect url=3Dindex.html][/formvariables] > = [text]t_commands=3D|[url]![/url]|addfields|addlineitem|append|appendfile|a= pplescript|arrayget|arrayset|authenticate|boldwords|browsername|calcfilecr= c32|capitalize|cart|case|clearlineitems|closedatabase|command|commitdataba= se|convertchars|convertwords|copyfile|copyfolder|countchars|countwords|cre= atefolder|date|ddeconnect|ddesend|decrypt|delete|deletefile|deletefolder|d= os|elapsedtime|else|encrypt|exclusivelock|filecompare|fileinfo|findstring|= flushcache|flushdatabases|format|format|formvariables|founditems|freememor= y|function|getchars|getcookie|getmimeheader|grep|hideif|html1|html2|html3|= httpmethod|if|include|input|interpret|ipaddress|issecureclient|lastautonum= ner|lastrandom|lineitems|listchars|listcookies|listdatabases|listfields|li= stfiles|listmimeheaders|listpath|listvariables|listwords|lookup|lookup|loo= p|lowercase|math|middle|movefile|object|orderfile|password|platform|produc= t|protect|purchase|random|raw|redirect|referrer|removehtml|removelineitem|= replace|replacefounditems|retu > = rn|returnraw|scope|search|sendmail|setcookie|setheader|setlineitem|setmime= header|shell|showif|shownext|spawn|sql|sql|sqlconnect|sqldisconnect|sqlexe= cute|sqlinfo|sqlrelease|sqlresult|switch|table|tcpconnect|tcpsend|then|thi= surl|time|unurl|uppercase|url|username|validcard|version|waitforfile|write= file|xmlnode|xmlnodes|xmlnodesattributes|xmlparse|xsl|xslt|[/text] > [formvariables] > [showif [t_commands]^|[url][name][/url]|] > [redirect url=3Dindex.html] > [/showif] > [/formvariables] > ------------------------------------ >=20 >=20 > If anyone comes up with a solution for "!" I'd be interested. I think I am confused a little by what I am seeing. (and maybe so = were/are you Donovan?) First question I have is that I want to confirm that the issue you have = with the "!" is the same as me (?) -=20 ..that seemingly regardless of what I try... I cannot get the = (pre-parse) script to redirect in case the user sticks "...&!=3Dabc..." = in the URL. Odd. And odd that I never noticed that before (I thought I = would have tested that one since it is one of the THE most unpleasant = scenarios ;-) ... causing commented out code to fire). Anyway is that = what you also meant when you inferred that "!" behaved differently.. and = unexpectedly? I am also wanting to know if anyone can successfully = detect in case of any formvar (get or post) named "!".. and so then in = that case - cause deliberate code to fire. I thought that perhaps the issue with "!" in the script I posted earlier = was because of all the instances of [!] in the script.. (used to remove = whitespace from that pre-parse script). (I assume this is what you = meant Tom? ..when you said, "...Maybe the fact that Govinda is wrapping = each line with WebDNA comment tags is causing the issue?")=20 Anyway so then I thought to try this: [formvariables name=3D!][redirect = http://www.blisscode.com][/formvariables][!] [/!][!]--- START: to plug up the security hole of when URL hacker passes = a webdna context name as a formvar---[/!][!] [/!][!] [/!][formvariables name=3Daddfields][redirect /][/formvariables][!] [/!][formvariables name=3Daddlineitem][redirect /][/formvariables][!] [/!][formvariables name=3Dappend][redirect /][/formvariables][!] [/!][formvariables name=3Dappendfile][redirect /][/formvariables][!] [/!][formvariables name=3Dapplescript][redirect /][/formvariables][!] [/!][formvariables name=3Darrayget][redirect /][/formvariables][!] [/!][formvariables name=3Darrayset][redirect /][/formvariables][!] [/!][formvariables name=3Dauthenticate][redirect /][/formvariables][!] [/!][formvariables name=3Dboldwords][redirect /][/formvariables][!] [/!][formvariables name=3Dbrowsername][redirect /][/formvariables][!] [/!][formvariables name=3Dcalcfilecrc32][redirect = /][/formvariables][snip...] ...and then I also tried like Tom says he does: [formvariables name=3D!][redirect /][/formvariables][formvariables = name=3Daddfields][redirect /][/formvariables][formvariables = name=3Daddlineitem][redirect /][/formvariables][formvariables = name=3Dappend][redirect /][/formvariables][formvariables = name=3Dappendfile][redirect /][/formvariables][formvariables = name=3Dapplescript][redirect /][/formvariables] [formvariables = name=3Darrayget][redirect /][/formvariables][snip...] ..and in BOTH cases.. everything works as expected, *EXCEPT* when I pass = "...&!=3Dabc..." in the URL, then I get this (instead of a redirect): " Forbidden You don't have permission to access myTest.tpl on this server. Apache Server at mydomain.com Port 80 " (..where you just get a hang, Donovan?) Does anyone know a way we can detect the case of an attempted formvar = named "!" ? Thanks, -Govinda= Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!] (Kenneth Grome 2011)
  2. Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!] (Govinda 2011)
  3. Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!] (Kenneth Grome 2011)
  4. Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!] (Govinda 2011)
  5. Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!] (Kenneth Grome 2011)
  6. Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!] (Govinda 2011)
  7. Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!] (Govinda 2011)
  8. Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!] (Kenneth Grome 2011)
  9. Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!] (Govinda 2011)
  10. Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!] (Kenneth Grome 2011)
  11. Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!] (Kenneth Grome 2011)
  12. Re: [WebDNA] Error: Can't open order file. Ignoring [OrderFile] context Error: Error: expected [/APPLICATION], but found [/!] instead[/!] (Kenneth Grome 2011)
below > Govinda wrote: > [snip] >> [!]--- START: to plug up the security hole of when URL hacker passes = a >> webdna context name as a formvar---[/!][snip] >=20 >=20 > Hi Govinda, that looks like a good solution. BTW, it was someone else's original solution/code.. that I just pasted. =20= (more below) > Since passing the "!" was causing a hang (though at least it isn't = parsing anymore), I tried some other things and came up with something = that still doesn't work for the "!", but is a bit shorter and perhaps = slightly less CPU costly. ** note: the t_commands var should all be one = line ** >=20 > ------------------------------------ > [formvariables name=3Dtext][redirect url=3Dindex.html][/formvariables] > = [text]t_commands=3D|[url]![/url]|addfields|addlineitem|append|appendfile|a= pplescript|arrayget|arrayset|authenticate|boldwords|browsername|calcfilecr= c32|capitalize|cart|case|clearlineitems|closedatabase|command|commitdataba= se|convertchars|convertwords|copyfile|copyfolder|countchars|countwords|cre= atefolder|date|ddeconnect|ddesend|decrypt|delete|deletefile|deletefolder|d= os|elapsedtime|else|encrypt|exclusivelock|filecompare|fileinfo|findstring|= flushcache|flushdatabases|format|format|formvariables|founditems|freememor= y|function|getchars|getcookie|getmimeheader|grep|hideif|html1|html2|html3|= httpmethod|if|include|input|interpret|ipaddress|issecureclient|lastautonum= ner|lastrandom|lineitems|listchars|listcookies|listdatabases|listfields|li= stfiles|listmimeheaders|listpath|listvariables|listwords|lookup|lookup|loo= p|lowercase|math|middle|movefile|object|orderfile|password|platform|produc= t|protect|purchase|random|raw|redirect|referrer|removehtml|removelineitem|= replace|replacefounditems|retu > = rn|returnraw|scope|search|sendmail|setcookie|setheader|setlineitem|setmime= header|shell|showif|shownext|spawn|sql|sql|sqlconnect|sqldisconnect|sqlexe= cute|sqlinfo|sqlrelease|sqlresult|switch|table|tcpconnect|tcpsend|then|thi= surl|time|unurl|uppercase|url|username|validcard|version|waitforfile|write= file|xmlnode|xmlnodes|xmlnodesattributes|xmlparse|xsl|xslt|[/text] > [formvariables] > [showif [t_commands]^|[url][name][/url]|] > [redirect url=3Dindex.html] > [/showif] > [/formvariables] > ------------------------------------ >=20 >=20 > If anyone comes up with a solution for "!" I'd be interested. I think I am confused a little by what I am seeing. (and maybe so = were/are you Donovan?) First question I have is that I want to confirm that the issue you have = with the "!" is the same as me (?) -=20 ..that seemingly regardless of what I try... I cannot get the = (pre-parse) script to redirect in case the user sticks "...&!=3Dabc..." = in the URL. Odd. And odd that I never noticed that before (I thought I = would have tested that one since it is one of the THE most unpleasant = scenarios ;-) ... causing commented out code to fire). Anyway is that = what you also meant when you inferred that "!" behaved differently.. and = unexpectedly? I am also wanting to know if anyone can successfully = detect in case of any formvar (get or post) named "!".. and so then in = that case - cause deliberate code to fire. I thought that perhaps the issue with "!" in the script I posted earlier = was because of all the instances of [!] in the script.. (used to remove = whitespace from that pre-parse script). (I assume this is what you = meant Tom? ..when you said, "...Maybe the fact that Govinda is wrapping = each line with WebDNA comment tags is causing the issue?")=20 Anyway so then I thought to try this: [formvariables name=3D!][redirect = http://www.blisscode.com][/formvariables][!] [/!][!]--- START: to plug up the security hole of when URL hacker passes = a webdna context name as a formvar---[/!][!] [/!][!] [/!][formvariables name=3Daddfields][redirect /][/formvariables][!] [/!][formvariables name=3Daddlineitem][redirect /][/formvariables][!] [/!][formvariables name=3Dappend][redirect /][/formvariables][!] [/!][formvariables name=3Dappendfile][redirect /][/formvariables][!] [/!][formvariables name=3Dapplescript][redirect /][/formvariables][!] [/!][formvariables name=3Darrayget][redirect /][/formvariables][!] [/!][formvariables name=3Darrayset][redirect /][/formvariables][!] [/!][formvariables name=3Dauthenticate][redirect /][/formvariables][!] [/!][formvariables name=3Dboldwords][redirect /][/formvariables][!] [/!][formvariables name=3Dbrowsername][redirect /][/formvariables][!] [/!][formvariables name=3Dcalcfilecrc32][redirect = /][/formvariables][snip...] ...and then I also tried like Tom says he does: [formvariables name=3D!][redirect /][/formvariables][formvariables = name=3Daddfields][redirect /][/formvariables][formvariables = name=3Daddlineitem][redirect /][/formvariables][formvariables = name=3Dappend][redirect /][/formvariables][formvariables = name=3Dappendfile][redirect /][/formvariables][formvariables = name=3Dapplescript][redirect /][/formvariables] [formvariables = name=3Darrayget][redirect /][/formvariables][snip...] ..and in BOTH cases.. everything works as expected, *EXCEPT* when I pass = "...&!=3Dabc..." in the URL, then I get this (instead of a redirect): " Forbidden You don't have permission to access myTest.tpl on this server. Apache Server at mydomain.com Port 80 " (..where you just get a hang, Donovan?) Does anyone know a way we can detect the case of an attempted formvar = named "!" ? Thanks, -Govinda= Govinda

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

WebCat b15 Mac plug-in (1997) WCS Newbie question (1997) itools webcat atartup (2000) Error 11 (1996) Using [purchase] (1998) Can this be done? (1997) ShowNext (1997) WebCatalog Use Question (1997) Viewing old carts (was FEW QUESTIONS) (1997) Multiple download orders of the same product? (1997) Multiple transactions per cart (2000) Execute Applescript (1997) Thanks ! (1997) user selectable sort order (2000) WebCatalog for guestbook ? (1997) Not reading code (1997) Date search bug (1997) RE: Problems with shopping cart (1997) Why isn't this working (1999) Quick ShowIf question (1997)