Forum Discussion
How to preserve HTTP headers for HTTP::respond
Thank you, , it helped. Is it enough to put $hdrs in curly braces to avoid TCL injection ?
Or maybe append HTTP::respond statement with an additional header? Article doesn't provide detailed recommendation how to protect from malicious input.
Also, I solved the problems of quoting by converting $hdrs to a list, i.e.
set headers {}
foreach header [HTTP::header names] {
lappend headers $header [HTTP::header value $header]
}
Thanks,
Vadym
>Is it enough to put $hdrs in curly braces to avoid TCL injection ?
No - that just makes {$hrds} a single parameter with spaces in it.
I suspect you need to individually wrap each element (the headers and the values) in curly braces prior to the eval
So you end up doing an eval on
HTTP::respond 301 -version auto {header1} {header1_value} {header2} {header2_value} ...
That prevents eval from further expanding the strings in the curly braces.
But I don't really get TCL injection either - I know it is possible via unsanitized input, and eval is a common problem, and curly braces help, but I still struggle with it.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com