Forum Discussion
uni
Altostratus
Maybe check the file name represents an ifile early. Then, as long as your ifile names are "sane", you'll have no issues.
if { [lsearch -exact [ifile listall] "$qrystr"] }
...
Sam_Hall
Dec 04, 2013Nimbostratus
Thanks, certainly looks safer and it's a cleaner option than using the catch command. I'm happy with this solution since we have full control over the ifile names, and I assume there's not much risk of TCL interpreting them as anything other than strings anyway.
I'm relatively new to TCL and started to worry that TCL injection might be a possibility. A quick search turned up only a couple options for sanity checking, either using regex (which is apparently inefficient) or using scan (which seemed pretty limited).