Lightboard Lessons: Secure Coding and Tcl Double Substitution
The F5 BIG-IP has a powerful programmability feature called iRules . iRules is a scripting language that was introduced in 2007 and is based on an extended and customized Tool Command Language (Tcl) 8.4 implementation. While iRules are based on Tcl, they are not exactly the same thing. For example, iRules have some unique commands that are not found in native Tcl, and some Tcl commands are not valid for iRules. However, most Tcl commands can be used in iRules.
As is the case with any programming language, the developer needs to understand the commands and functionality of the language in order to avoid possible vulnerabilities and other problems. Some commands in Tcl allow for "double substitution" where a command can be executed twice, and this opens the door for possible vulnerabilities if not written properly. This video highlights one such command and discusses the need for secure coding practices.