Index: openacs-4/packages/acs-tcl/tcl/form-processing-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/form-processing-procs.tcl,v
diff -u -r1.63 -r1.64
--- openacs-4/packages/acs-tcl/tcl/form-processing-procs.tcl	10 Mar 2010 00:44:03 -0000	1.63
+++ openacs-4/packages/acs-tcl/tcl/form-processing-procs.tcl	27 Oct 2014 16:40:06 -0000	1.64
@@ -558,8 +558,9 @@
 
     foreach valid_arg $valid_args {
         if { [info exists $valid_arg] } {
-            if { [info exists af_parts(${form_name}__$valid_arg)] &&
-                 [lsearch { form name validate export } $valid_arg] == -1 } {
+            if { [info exists af_parts(${form_name}__$valid_arg)] 
+		 && [lsearch { form name validate export } $valid_arg] == -1 
+	     } {
                 return -code error "Form \"$form_name\" already has a \"$valid_arg\" section"
             }
 
@@ -628,8 +629,9 @@
                         if { [string index $flag end] ne ")" } {
                             return -code error "Missing or misplaced end parenthesis for flag '$flag' on argument '$element_name'"
                         }
-                        set flag_stem [string range $flag 0 [expr {$left_paren - 1}]]
-                        lappend af_element_parameters($element_name:$flag_stem) [string range $flag [expr {$left_paren + 1}] [expr {[string length $flag]-2}]]
+                        set flag_stem [string range $flag 0 $left_paren-1]
+                        lappend af_element_parameters($element_name:$flag_stem) \
+			    [string range $flag $left_paren+1 [string length $flag]-2]
                         lappend af_flag_list(${form_name}__$element_name) $flag_stem
                     } else {
                         lappend af_flag_list(${form_name}__$element_name) $flag
@@ -724,7 +726,7 @@
 
         # Create the form
 
-        eval $create_command
+        {*}$create_command
 
         # Now make it impossible to add params specific to form creation to an extend
         # block
@@ -783,7 +785,7 @@
             }
             lappend command $form_name
             lappend command [lindex $element_name 1]
-            eval $command
+            {*}$command
         } else {
             set form_command [list template::element create $form_name $element_name]
             foreach flag $af_flag_list(${form_name}__$element_name) {
@@ -837,18 +839,18 @@
                     }
 
                     default {
-                        if { [empty_string_p [info commands "::template::data::validate::$flag"]] } {
+                        if { [info commands "::template::data::validate::$flag"] eq "" } {
                            return -code error "element $element_name: data type \"$flag\" is not valid"
                         }
                         lappend form_command "-datatype"
                         lappend form_command $flag
                         set af_type(${form_name}__$element_name) $flag
                         if { $af_element_parameters($element_name:$flag) eq "" } {
-                            if { ![empty_string_p [info command "::template::widget::$flag"]] } {
+                            if { [info commands "::template::widget::$flag"] ne "" } {
                                 lappend form_command "-widget" $flag
                             }
                         } else {
-                            if { [empty_string_p [info commands "::template::widget::$af_element_parameters($element_name:$flag)"]] } {
+                            if { [info commands "::template::widget::$af_element_parameters($element_name:$flag)"] eq ""} {
                                 return -code error "element $element_name: widget \"$af_element_parameters($element_name:$flag)\" does not exist"
                             }
                             lappend form_command "-widget" $af_element_parameters($element_name:$flag)
@@ -861,7 +863,7 @@
                 lappend form_command "-[lindex $extra_arg 0]"
                 lappend form_command [uplevel [list subst [lindex $extra_arg 1]]]
             }
-            eval $form_command
+            {*}$form_command
 
         }
     }
@@ -881,7 +883,7 @@
                 }
             }
             if { [info exists af_to_html(${form_name}__$element_name)] } {
-                if { [empty_string_p [info commands ::template::util::$af_type(${form_name}__$element_name)::get_property]] } {
+                if { [info commands ::template::util::$af_type(${form_name}__$element_name)::get_property] eq "" } {
                     return -code error "\"to_html\" not valid for type \"$af_type(${form_name}__$element_name)\""
                 }
             }
@@ -1015,8 +1017,9 @@
 
         foreach element_name $properties(element_names) {
             if { [info exists values($element_name)] } {
-                if { [info exists af_flag_list(${form_name}__$element_name)] && \
-                     [lsearch $af_flag_list(${form_name}__$element_name) multiple] >= 0 } {
+                if { [info exists af_flag_list(${form_name}__$element_name)] 
+		     && [lsearch $af_flag_list(${form_name}__$element_name) multiple] >= 0 
+		 } {
                     template::element set_values $form_name $element_name $values($element_name)
                 } else {
                     template::element set_value $form_name $element_name $values($element_name)
@@ -1033,8 +1036,9 @@
         # in a reasonable way.
 
         foreach element_name $properties(element_names) {
-            if { [info exists af_flag_list(${form_name}__$element_name)] && \
-                 [lsearch $af_flag_list(${form_name}__$element_name) multiple] >= 0 } {
+            if { [info exists af_flag_list(${form_name}__$element_name)] 
+		 && [lsearch $af_flag_list(${form_name}__$element_name) multiple] >= 0 
+	     } {
                 set values [uplevel #$level [list template::element get_values $form_name $element_name]]
                 uplevel #$level [list set $element_name $values]
             } else {
@@ -1064,16 +1068,32 @@
 
         foreach validate_element $af_validate_elements($form_name) {
             foreach {element_name validate_expr error_message} $validate_element {
-                if { ![template::element error_p $form_name $element_name] && \
-                    ![uplevel #$level [list expr $validate_expr]] } {
+                if { ![template::element error_p $form_name $element_name] 
+		     && ![uplevel #$level [list expr $validate_expr]] 
+		 } {
                     template::element set_error $form_name $element_name [uplevel [list subst $error_message]]
                 }
             }
         }
     }
 
     if { [template::form is_submission $form_name] } {
-        if { [uplevel #$level {set __refreshing_p}] } {
+        upvar #$level __refreshing_p __refreshing_p __confirmed_p __confirmed_p
+	#
+	# The values for __refreshing_p and __confirmed_p are returend
+	# from the client.  Since Submitting invalid data to hidden
+	# elements is a common attack vector, we react harsh if we see
+	# an invalid input here.
+	#
+	if {![string is boolean -strict $__refreshing_p] 
+	    || ![string is boolean -strict $__confirmed_p] } {
+	    ad_return_complaint 1 "Your request is invalid."
+	    ns_log Warning "Validation error in hidden form element.\
+		This may be part of a vulnerability scan or attack reconnaissance: \
+		fish values __refreshing_p '$__refreshing_p' or __confirmed_p '$__confirmed_p'"
+	    ad_script_abort
+	}
+        if { $__refreshing_p } {
             uplevel array unset ${form_name}:error
 
             if { [info exists on_refresh] } {
@@ -1086,7 +1106,7 @@
 
                 # Run confirm and preview templates before we do final processing of the form
 
-                if { [info exists confirm_template] && ![uplevel #$level {set __confirmed_p}] } {
+                if { [info exists confirm_template] && ! $__confirmed_p } {
 
                     # Pass the form variables to the confirm template, applying the to_html filter if present
 
@@ -1258,10 +1278,10 @@
     Example usage:
     <pre>
     if { [ad_form_new_p -key item_id] } {
-        ad_require_permission $package_id create
+        permission::require_permission -object_id $package_id -privilege create
         set page_title "New Item"
     } else {
-        ad_require_permission $item_id write
+        permission::require_permission -object_id $item_id -privilege write
         set page_title "Edit Item"
     }