Forum Discussion
warning: [use curly braces to avoid double substitution]
1) An understanding of double substitution is necessary to avoid injection attacks. Tcl parses a command, performs substitutions on the words of the command, and then executes the command. Some commands in turn perform additional processing of the arguments they receive. eval, subst, and various other commands interpret their arguments as a script to be executed, and pass the script back to Tcl for another round of evaluation. expr, if, and while parse their arguments according to the grammar of expr, resulting in another round of variable and command substitution. Double substitution refers to the substitution that happens during these additional rounds of interpretation. Double substitution can be useful, but is more often the result of inadvertently neglecting to brace the arguments to expr or to the expr arguments of if and while. static syntax analysis tools can be used to locate these occurrences in a script. KBK: Braced expressions on if, while, and expr aren't just safer, they're also much, much faster. Unbraced ones have to be parsed at run time; braced ones can be compiled down to very tight bytecode sequences.
expr In expr scripts, $ causes variable substitution and [ causes command substitution.
Arguments to expr should almost always be braced because it avoids the first layer of substitution by the Tcl interpreter. The same is true for the first argument to if and while. This is mentioned on the Tcl Style Guide page and is discussed a bit on A Question of Style.
2) So the warnings are put in place to suggest you work them out.
3) So rewriting them stops the possibility of an injection attack so the warning will no longer appear when rewritten. (In the F5 error or warning statement is a suggested way of correcting the problem also.)
4) For a more thorough explanation see: double substitution http://wiki.tcl.tk/1535
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com