Checking of External Input
Because of the requirement to interact with an external VCS server, the VCS Integration feature must necessarily accept data transmitted from the VCS server. For example, within the VCS server, it is possible for a malicious user to create a version label containing a destructive command. If the same malicious user logged on to Designer and used the Get Earlier Version command to retrieve a package or element tagged with this label, the command could damage the Integration Server file system.
The VCS Integration feature minimizes this threat by checking data arriving from the VCS server for the prohibited characters ";" and "&". If either of these characters is found, the operation is halted and an error message appears within Designer.