[pLog-svn] r3259 - in plog/trunk/class: action data/validator

Oscar Renalias oscar at renalias.net
Wed Apr 19 09:42:57 GMT 2006 

I think it looks good to me.

One more thing: could we backport this to 1.0.4? I am thinking that
this is important enough and we could release this and all other fixes
we've been collecting as the last maintenance release of the 1.0.x
branch.

Oscar

On 4/18/06, Jon Daley <plogworld at jon.limedaley.com> wrote:
>         Did I do this right?  I haven't done too much with the validators
> before.  Do we need anything in the template names other than a-z, 0-9,
> A-Z, . - and _
>
>         Someone had asked about subdirectories before, we could add
> slashes.  Do we need to worry about international characters?
>
>
>
>
> On Tue, 18 Apr 2006, jondaley at devel.lifetype.net wrote:
>
> > Author: jondaley
> > Date: 2006-04-18 14:41:19 +0000 (Tue, 18 Apr 2006)
> > New Revision: 3259
> >
> > Added:
> >   plog/trunk/class/data/validator/templatenamevalidator.class.php
> > Modified:
> >   plog/trunk/class/action/templateaction.class.php
> > Log:
> > fixed xss in template name.  Presumably there are other places to validate as well
> >
> > Modified: plog/trunk/class/action/templateaction.class.php
> > ===================================================================
> > --- plog/trunk/class/action/templateaction.class.php  2006-04-18 14:16:31 UTC (rev 3258)
> > +++ plog/trunk/class/action/templateaction.class.php  2006-04-18 14:41:19 UTC (rev 3259)
> > @@ -2,7 +2,8 @@
> >
> >       include_once( PLOG_CLASS_PATH."class/action/blogaction.class.php" );
> >     include_once( PLOG_CLASS_PATH."class/view/templateview.class.php" );
> > -    include_once( PLOG_CLASS_PATH."class/data/validator/stringvalidator.class.php" );
> > +    include_once( PLOG_CLASS_PATH."class/data/validator/templatenamevalidator.class.php" );
> > +    include_once( PLOG_CLASS_PATH."class/view/errorview.class.php" );
> >
> >     /**
> >      * \ingroup Action
> > @@ -38,8 +39,12 @@
> >       function TemplateAction( $actionInfo, $request )
> >         {
> >               $this->BlogAction( $actionInfo, $request );
> > -
> > -             $this->registerFieldValidator( "show", new StringValidator());
> > +
> > +             $this->registerFieldValidator( "show", new TemplateNameValidator());
> > +
> > +            $view = new ErrorView( $this->_blogInfo );
> > +            $view->setErrorMessage( "Bad characters in the template name." );
> > +            $this->setValidationErrorView( $view );
> >         }
> >
> >         /**
> > @@ -52,10 +57,10 @@
> >          */
> >         function perform()
> >         {
> > -             // get the value of the template we're trying to render
> > +                // get the value of the template we're trying to render
> >               $templateFile = $this->_request->getValue( "show" );
> > -            // then, check if it has any extraneous character
> > -            if( strstr( $templateFile, ".." )) {
> > +                // then, check if it has any extraneous character
> > +            if( !$templateFile || strstr( $templateFile, ".." )) {
> >                 include_once( PLOG_CLASS_PATH."class/view/errorview.class.php" );
> >
> >                   $view = new ErrorView( $this->_blogInfo, "error_parameter_missing" );
> > @@ -67,7 +72,6 @@
> >
> >                 return false;
> >             }
> > -
> >               // get the name of the template file and create the view
> >               $this->_view = new TemplateView( $this->_blogInfo,
> >                                                        $this->_request->getValue( "show" ));
> >
> > Added: plog/trunk/class/data/validator/templatenamevalidator.class.php
> > ===================================================================
> > --- plog/trunk/class/data/validator/templatenamevalidator.class.php   2006-04-18 14:16:31 UTC (rev 3258)
> > +++ plog/trunk/class/data/validator/templatenamevalidator.class.php   2006-04-18 14:41:19 UTC (rev 3259)
> > @@ -0,0 +1,25 @@
> > +<?php
> > +
> > +     include_once( PLOG_CLASS_PATH."class/data/validator/validator.class.php" );
> > +     include_once( PLOG_CLASS_PATH."class/data/validator/rules/regexprule.class.php" );
> > +     include_once( PLOG_CLASS_PATH."class/data/validator/rules/nonemptyrule.class.php" );
> > +
> > +    define(VALID_REGEXP_CHARS, "^([a-z0-9._-]+)$");
> > +
> > +    /**
> > +     * \ingroup Validator
> > +     *
> > +     * Checks whether the string is a valid template name
> > +     *
> > +     * @see NonEmptyRule
> > +     */
> > +    class TemplateNameValidator extends Validator
> > +    {
> > +     function TemplateNameValidator()
> > +        {
> > +             $this->Validator();
> > +                     $this->addRule( new NonEmptyRule());
> > +             $this->addRule( new RegExpRule(VALID_REGEXP_CHARS, false ));
> > +        }
> > +    }
> > +?>
> >
> > _______________________________________________
> > pLog-svn mailing list
> > pLog-svn at devel.lifetype.net
> > http://devel.lifetype.net/mailman/listinfo/plog-svn
> >
>
> **************************************
> Jon Daley
> http://jon.limedaley.com/
>
> Sic friatur crustum dulce.
> -- Latin for All Occasions
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://devel.lifetype.net/mailman/listinfo/plog-svn
>

More information about the pLog-svn mailing list