[AMG]: An injection attack is the substitution of executable code into an expression. A system is vulnerable to injection attacks when it reparses substitution results. Tcl normally does not reparse substitution results, but several Tcl commands internally perform parsing and substitution on their arguments, after Tcl has already parsed and substituted them. Here's an example value of $exploit that can be used in the following code snippets. Don't use it; typing this and executing it is playing with fire! ====== set exploit {[exec rm -rf /]} ====== Here's a safer version for testing: ====== set exploit {[error PWNED!]} ====== **[after]** ====== after 0 puts $exploit ;# vulnerable after 0 {puts $exploit} ;# safe ====== **[apply]** ====== apply "{exploit} {puts $exploit}" $exploit ;# vulnerable apply {{exploit} {puts $exploit}} $exploit ;# safe ====== **[catch]** ====== catch "puts $exploit" ;# vulnerable catch {puts $exploit} ;# safe ====== **[dict filter]** ====== dict filter {a 1} script {k v} "puts $exploit; lindex 1" ;# vulnerable dict filter {a 1} script {k v} {puts $exploit; lindex 1} ;# safe ====== **[dict for]** ====== dict for {k v} {a 1} "puts $exploit" ;# vulnerable dict for {k v} {a 1} {puts $exploit} ;# safe ====== **[eval]** ====== eval puts $exploit ;# vulnerable eval "puts $exploit" ;# vulnerable eval {puts $exploit} ;# safe ====== **[expr]** ====== expr 2 + 2 == $exploit ;# vulnerable expr "2 + 2 == $exploit" ;# vulnerable expr {2 + 2 == $exploit} ;# safe ====== Always [brace your expr-essions]!! **[subst]** ====== subst "this is vulnerable to the $exploit" subst {this is immune to the $exploit} ====== The -novariables and -nobackslashes options can't be used to completely deny access to variables and backslash substitutions if -nocommands is not given. (Passing all three options means that [[subst]] will simply return its argument, same as single-argument [[[lindex]]].) This is because command substitution (script substitution) is allowed to internally use variables and backslashes. ''more to come...'' **Others** Here's a very famous injection attack: [http://imgs.xkcd.com/comics/exploits_of_a_mom.png] [http://xkcd.com/327/]