Re: Proposed FormVariables hierarchy

This WebDNA talk-list message is from

2000


It keeps the original formatting.
numero = 31700
interpreted = N
texte = Nicolas -Grant has already stated in no uncertain terms that the present behavior is a security lapse and will not be supported. The default behavior must be secure, with the option of disabling security on a case by case basis. You are correct, encrypted templates will need to be upgraded before they run under 4.x. There is no one holding a gun to the head of each site to upgrade; only if you need the new features should you need to upgrade.There was a very complete discussion of using an editor with regular expressions to make two passes and clean up all user written templates in one swell foop. This is not an upgrade issue, it is a bug/security fix; there is no wiggle room, this _has_ to be done.John PeacockNicolas Verhaeghe wrote: > > > Default behavior would be to store text variables in the secure > > namespace. Adding the optional secure=F parameter like [text > > secure=f]fred=hello[/text] would put those values into the new > > un-secure namespace. > > Will our older templates work? With the unsecure namespace (as you call it) > coming first, we would not have to worry. With this new proposed hierarchy, > we will still have to go back and modify our older templates, and in my case > it's a no-go, because I have to go on (I cannot afford looking back to what > I did before, only to correct my bugs). > > That is a very important question. > > Again: an upgrade where all we would have to do is install the new version > in order to see our older template work is a necessity. > > The case of people who purchased an already made solution (stuff like The > Pubb or Banner Sleuth -or whatever the name is) with encrypted templates > will not be able to use them if those templates take advantage of the older > hierarchy. > > [text/math secure=f] should therefore be a default > [text/math secure=t] should therefore be an option > > (just like show=f is an option and show=t a default). > > My question makes sense.############################################################# This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to Associated Messages, from the most recent to the oldest:

    
  1. Re: Proposed FormVariables hierarchy (John Butler 2000)
  2. Re: Proposed FormVariables hierarchy (John Peacock 2000)
  3. Re: Proposed FormVariables hierarchy (Nicolas Verhaeghe 2000)
  4. Re: Proposed FormVariables hierarchy (Kenneth Grome 2000)
  5. Re: Proposed FormVariables hierarchy (John Peacock 2000)
  6. Re: Proposed FormVariables hierarchy (Pat McCormick 2000)
  7. Re: Proposed FormVariables hierarchy (Kenneth Grome 2000)
  8. Re: Proposed FormVariables hierarchy (GHulbert@smithmicro.com 2000)
  9. Re: Proposed FormVariables hierarchy (Thomas Wedderburn-Bisshop 2000)
  10. Re: Proposed FormVariables hierarchy (Michael Winston 2000)
  11. Re: Proposed FormVariables hierarchy (Kenneth Grome 2000)
  12. Proposed FormVariables hierarchy (GHulbert@smithmicro.com 2000)
Nicolas -Grant has already stated in no uncertain terms that the present behavior is a security lapse and will not be supported. The default behavior must be secure, with the option of disabling security on a case by case basis. You are correct, encrypted templates will need to be upgraded before they run under 4.x. There is no one holding a gun to the head of each site to upgrade; only if you need the new features should you need to upgrade.There was a very complete discussion of using an editor with regular expressions to make two passes and clean up all user written templates in one swell foop. This is not an upgrade issue, it is a bug/security fix; there is no wiggle room, this _has_ to be done.John PeacockNicolas Verhaeghe wrote: > > > Default behavior would be to store text variables in the secure > > namespace. Adding the optional secure=F parameter like [text > > secure=f]fred=hello[/text] would put those values into the new > > un-secure namespace. > > Will our older templates work? With the unsecure namespace (as you call it) > coming first, we would not have to worry. With this new proposed hierarchy, > we will still have to go back and modify our older templates, and in my case > it's a no-go, because I have to go on (I cannot afford looking back to what > I did before, only to correct my bugs). > > That is a very important question. > > Again: an upgrade where all we would have to do is install the new version > in order to see our older template work is a necessity. > > The case of people who purchased an already made solution (stuff like The > Pubb or Banner Sleuth -or whatever the name is) with encrypted templates > will not be able to use them if those templates take advantage of the older > hierarchy. > > [text/math secure=f] should therefore be a default > [text/math secure=t] should therefore be an option > > (just like show=f is an option and show=t a default). > > My question makes sense.############################################################# This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to John Peacock

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

WebCat2 - Getting to the browser's username/password data (1997) [listfiles] nested in a [loop] (1998) Cart# (1997) [WebDNA] Grep (2009) Possible Bug in 2.0b15.acgi (1997) TCP Connect over SSL? (2000) Only charge card when product shipped ? (1997) Off-topic: valid email address characters? (2002) template security preferences????? (1998) DON'T use old cart file! (1997) Problems passing [SKU] with $Replace in 2.0 (1997) Changing SubTotal (2003) Deleting Orders (1997) Frames and cart values (1998) form data submission get (1997) SMSI -- a [notfound] context? (2002) Unstable on my server (2000) mac hack (1997) [TaxableTotal] - not working with AOL and IE (1997) Preventing code execution (2003)