Forum Discussion
Vadym_Chepkov
Nimbostratus
NimbostratusHow to preserve HTTP headers for HTTP::respond
I need to preserve HTTP headers for HTTP::respond, I tried the following approach when HTTP_RESPONSE {
if {[HTTP::has_responded]} {return}
catch { unset hdrs }
foreach header [HTTP::header ...
Vadym_ChepkovNimbostratus
NimbostratusThank you, , it helped. Is it enough to put $hdrs in curly braces to avoid TCL injection ?
Or maybe append HTTP::respond statement with an additional header? Article doesn't provide detailed recommendation how to protect from malicious input.
Also, I solved the problems of quoting by converting $hdrs to a list, i.e.
set headers {}
foreach header [HTTP::header names] {
lappend headers $header [HTTP::header value $header]
}
Thanks,
Vadym
Simon_Blakely
Employee
Employee>Is it enough to put $hdrs in curly braces to avoid TCL injection ?
No - that just makes {$hrds} a single parameter with spaces in it.
I suspect you need to individually wrap each element (the headers and the values) in curly braces prior to the eval
So you end up doing an eval on
HTTP::respond 301 -version auto {header1} {header1_value} {header2} {header2_value} ...That prevents eval from further expanding the strings in the curly braces.
But I don't really get TCL injection either - I know it is possible via unsanitized input, and eval is a common problem, and curly braces help, but I still struggle with it.