[pLog-svn] r3259 - in plog/trunk/class: action data/validator

Jon Daley plogworld at jon.limedaley.com
Tue Apr 18 15:07:47 GMT 2006 

 	Did I do this right?  I haven't done too much with the validators 
before.  Do we need anything in the template names other than a-z, 0-9, 
A-Z, . - and _

 	Someone had asked about subdirectories before, we could add 
slashes.  Do we need to worry about international characters?




On Tue, 18 Apr 2006, jondaley at devel.lifetype.net wrote:

> Author: jondaley
> Date: 2006-04-18 14:41:19 +0000 (Tue, 18 Apr 2006)
> New Revision: 3259
>
> Added:
>   plog/trunk/class/data/validator/templatenamevalidator.class.php
> Modified:
>   plog/trunk/class/action/templateaction.class.php
> Log:
> fixed xss in template name.  Presumably there are other places to validate as well
>
> Modified: plog/trunk/class/action/templateaction.class.php
> ===================================================================
> --- plog/trunk/class/action/templateaction.class.php	2006-04-18 14:16:31 UTC (rev 3258)
> +++ plog/trunk/class/action/templateaction.class.php	2006-04-18 14:41:19 UTC (rev 3259)
> @@ -2,7 +2,8 @@
>
> 	include_once( PLOG_CLASS_PATH."class/action/blogaction.class.php" );
>     include_once( PLOG_CLASS_PATH."class/view/templateview.class.php" );
> -    include_once( PLOG_CLASS_PATH."class/data/validator/stringvalidator.class.php" );
> +    include_once( PLOG_CLASS_PATH."class/data/validator/templatenamevalidator.class.php" );
> +    include_once( PLOG_CLASS_PATH."class/view/errorview.class.php" );
>
>     /**
>      * \ingroup Action
> @@ -38,8 +39,12 @@
>     	function TemplateAction( $actionInfo, $request )
>         {
>         	$this->BlogAction( $actionInfo, $request );
> -
> -        	$this->registerFieldValidator( "show", new StringValidator());
> +
> +        	$this->registerFieldValidator( "show", new TemplateNameValidator());
> +
> +            $view = new ErrorView( $this->_blogInfo );
> +            $view->setErrorMessage( "Bad characters in the template name." );
> +            $this->setValidationErrorView( $view );
>         }
>
>         /**
> @@ -52,10 +57,10 @@
>          */
>         function perform()
>         {
> -        	// get the value of the template we're trying to render
> +                // get the value of the template we're trying to render
>         	$templateFile = $this->_request->getValue( "show" );
> -            // then, check if it has any extraneous character
> -            if( strstr( $templateFile, ".." )) {
> +                // then, check if it has any extraneous character
> +            if( !$templateFile || strstr( $templateFile, ".." )) {
>                 include_once( PLOG_CLASS_PATH."class/view/errorview.class.php" );
>
>         	    $view = new ErrorView( $this->_blogInfo, "error_parameter_missing" );
> @@ -67,7 +72,6 @@
>
>                 return false;
>             }
> -
>         	// get the name of the template file and create the view
>         	$this->_view = new TemplateView( $this->_blogInfo,
> 			                                 $this->_request->getValue( "show" ));
>
> Added: plog/trunk/class/data/validator/templatenamevalidator.class.php
> ===================================================================
> --- plog/trunk/class/data/validator/templatenamevalidator.class.php	2006-04-18 14:16:31 UTC (rev 3258)
> +++ plog/trunk/class/data/validator/templatenamevalidator.class.php	2006-04-18 14:41:19 UTC (rev 3259)
> @@ -0,0 +1,25 @@
> +<?php
> +
> +	include_once( PLOG_CLASS_PATH."class/data/validator/validator.class.php" );
> +	include_once( PLOG_CLASS_PATH."class/data/validator/rules/regexprule.class.php" );
> +	include_once( PLOG_CLASS_PATH."class/data/validator/rules/nonemptyrule.class.php" );
> +
> +    define(VALID_REGEXP_CHARS, "^([a-z0-9._-]+)$");
> +
> +    /**
> +     * \ingroup Validator
> +     *
> +     * Checks whether the string is a valid template name
> +     *
> +     * @see NonEmptyRule
> +     */
> +    class TemplateNameValidator extends Validator
> +    {
> +    	function TemplateNameValidator()
> +        {
> +        	$this->Validator();
> +			$this->addRule( new NonEmptyRule());
> +        	$this->addRule( new RegExpRule(VALID_REGEXP_CHARS, false ));
> +        }
> +    }
> +?>
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://devel.lifetype.net/mailman/listinfo/plog-svn
>

**************************************
Jon Daley
http://jon.limedaley.com/

Sic friatur crustum dulce.
-- Latin for All Occasions

More information about the pLog-svn mailing list