Index: openacs-4/packages/acs-tcl/tcl/form-processing-procs.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/form-processing-procs.tcl,v diff -u -r1.63.6.5 -r1.63.6.6 --- openacs-4/packages/acs-tcl/tcl/form-processing-procs.tcl 2 Oct 2013 22:55:55 -0000 1.63.6.5 +++ openacs-4/packages/acs-tcl/tcl/form-processing-procs.tcl 1 Mar 2014 14:54:40 -0000 1.63.6.6 @@ -1078,7 +1078,22 @@ } if { [template::form is_submission $form_name] } { - if { [uplevel #$level {set __refreshing_p}] } { + upvar #$level __refreshing_p __refreshing_p __confirmed_p __confirmed_p + # + # The values for __refreshing_p and __confirmed_p are returend + # from the client. Since Submitting invalid data to hidden + # elements is a common attack vector, we react harsh if we see + # an invalid input here. + # + if {![string is boolean -strict $__refreshing_p] + || ![string is boolean -strict $__confirmed_p] } { + ad_return_complaint 1 "Your request is invalid." + ns_log Warning "Validation error in hidden form element.\ + This may be part of a vulnerability scan or attack reconnaissance: \ + fish values __refreshing_p '$__refreshing_p' or __confirmed_p '$__confirmed_p'" + ad_script_abort + } + if { $__refreshing_p } { uplevel array unset ${form_name}:error if { [info exists on_refresh] } { @@ -1091,7 +1106,7 @@ # Run confirm and preview templates before we do final processing of the form - if { [info exists confirm_template] && ![uplevel #$level {set __confirmed_p}] } { + if { [info exists confirm_template] && ! $__confirmed_p } { # Pass the form variables to the confirm template, applying the to_html filter if present