[pLog-svn] r4439 - plog/trunk/class/net
Oscar Renalias
oscar at renalias.net
Tue Jan 2 21:41:45 GMT 2007
Well we definitely need to forbid characters like "/*", no matter the
character set. Can we start with that and see how to improve the regexp?
On 2 Jan 2007, at 15:56, Jon Daley wrote:
> I am not sure what else are valid characters for a resource. And
> it seems hard to strip out certain characters typically used in SQL
> exploits like "/*" in all character sets? Maybe mysql doesn't
> support the other characters anyway?
>
> On Thu, 28 Dec 2006, Oscar Renalias wrote:
>
>> It worries me too, but I'm really bad at coding regexps. What
>> would the ideal one be?
>>
>> On 28 Dec 2006, at 15:25, Jon Daley wrote:
>>
>>> I don't know how the macros work - I guess it either defaults to
>>> english, which seems like a bad idea, or it has a hard-coded
>>> server-wide locale setting, so not helpful either.
>>> But, .* worries me some.
>>> On Thu, 28 Dec 2006, Oscar Renalias wrote:
>>>> I don't know about :alpha: or :printable:, because we should
>>>> allow all sorts file names in all sorts of encodings (think
>>>> about chinese filenames) I suppose [^\n\r] is a good place to
>>>> start.
>>>> On 28 Dec 2006, at 15:04, Jon Daley wrote:
>>>>
>>>>> Is there some sort of :alpha: or :printable: that would be
>>>>> better? Or maybe at least [^\n\r]
>>>>> On Thu, 28 Dec 2006, oscar at devel.lifetype.net wrote:
>>>>>> Author: oscar
>>>>>> Date: 2006-12-28 12:36:16 +0000 (Thu, 28 Dec 2006)
>>>>>> New Revision: 4439
>>>>>> Modified:
>>>>>> plog/trunk/class/net/linkparser.class.php
>>>>>> Log:
>>>>>> I had to soften the regexp used to parse resource names out of
>>>>>> links to resourcs or else files with things like accented
>>>>>> characters would not be accepted as valid urls
>>>>>> Modified: plog/trunk/class/net/linkparser.class.php
>>>>>> =================================================================
>>>>>> ==
>>>>>> --- plog/trunk/class/net/linkparser.class.php 2006-12-28
>>>>>> 10:13:02 UTC (rev 4438)
>>>>>> +++ plog/trunk/class/net/linkparser.class.php 2006-12-28
>>>>>> 12:36:16 UTC (rev 4439)
>>>>>> @@ -36,7 +36,7 @@
>>>>>> '{userid}' => '([0-9]+)?',
>>>>>> '{templatename}' => '([_0-9a-zA-Z.-]+)?',
>>>>>> '{resourceid}' => '([0-9]+)?',
>>>>>> - '{resourcename}' => '([_0-9a-zA-Z. \(\)\
>>>>>> [\]-]+)?',
>>>>>> + '{resourcename}' => '(.*)?',
>>>>>> '{albumid}' => '([0-9]+)?',
>>>>>> '{albumname}' => '([_0-9a-zA-Z -]*)?'
>>>>>> );
>>>>>> _______________________________________________
>>>>>> pLog-svn mailing list
>>>>>> pLog-svn at devel.lifetype.net
>>>>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>>>> --
>>>>> Jon Daley
>>>>> http://jon.limedaley.com/
>>>>> There cannot be a crisis next week. My schedule is already full.
>>>>> -- Henry Kissinger
>>>>> _______________________________________________
>>>>> pLog-svn mailing list
>>>>> pLog-svn at devel.lifetype.net
>>>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>>> _______________________________________________
>>>> pLog-svn mailing list
>>>> pLog-svn at devel.lifetype.net
>>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>> --
>>> Jon Daley
>>> http://jon.limedaley.com/
>>> I either want less corruption, or more chance to participate in it.
>>> -- Ashleigh Brilliant
>>> _______________________________________________
>>> pLog-svn mailing list
>>> pLog-svn at devel.lifetype.net
>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>
> --
> Jon Daley
> http://jon.limedaley.com/
>
> "I see," said the blind man as he picked up a hammer and saw.
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://devel.lifetype.net/mailman/listinfo/plog-svn
>
More information about the pLog-svn
mailing list