[pLog-svn] BlogNameValidator() cause Chinese blog name error!

Mark Wu markplace at gmail.com
Tue Sep 11 14:10:00 EDT 2007 

The problem is, the validator perform the wrong validate.

Take this two string as example:

String 1: "select * from plog_articles where topic like '%test%'"
String 2: "台北教會"

String 1 can pass the blognamevalidator
String 2 can't pass the blognamevalidator

String 1 is someone like to sql inject our addblogaction
String 2 is the normal chinese characters

So, .... Do you see the difference?

Even we use urlize() or domainlize() to validate the blog name, the string 1
still pass to perform() ...

Maybe we should back to the original point, what's the purpose of the
blognamevalidator().

After go through the code, I think it is for check the blog name valid as
part of domain name or not.

So, if we need to check the blog name include any sql injection or not, we
need to write another validator or just escape the string before we use it.
It maybe more clear.

Mark

> -----Original Message-----
> From: plog-svn-bounces at devel.lifetype.net 
> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon Daley
> Sent: Wednesday, September 12, 2007 1:56 AM
> To: LifeType Developer List
> Subject: Re: [pLog-svn] BlogNameValidator() cause Chinese 
> blog name error!
> 
>  	Yes, I agree that looks ugly, and we should try to not do that. 
> Has someone (oscar) not liked the blog_slug - or is it just 
> that requires new code, so it isn't a trivial add.
>  	For validating - it isn't a "free form string", it is a 
> blog name, so [a-zA-Z] or whatever we do is good enough for 
> English - is there a similar regexp you can add that covers 
> chinese characters?  (Do we need to cover other languages too?)
> 
> On Wed, 12 Sep 2007, Mark Wu wrote:
> 
> > Hi Jon:
> 
> Take a look the Wikipeida Zh version.  The chinese string  
> can encode to
> UTF-8 like:
> 
> http://zh.wikipedia.org/w/index.php?title=%E4%B8%AD%E4%B8%96%E
> 7%B4%80%E9%A3%
> B2%E9%A3%9F%E6%96%87%E5%8C%96&variant=zh-tw
> 
> The browser will accept this. And both FF or IE accept this.
> 
> For me, I don't like it. That's why I siad "blog_slug" is a 
> better solution for this. :D
> 
> Agreed, we need to validate the input string. But I  really 
> have no idea how to validate a free form "string".
> 
> And, even we use the domainize or urlize function to validate 
> the blog name at this moment, we still use the original blog 
> name input by user  (only with filter html) in our addBlogAction ...
> 
> So, If the SQL injection occurs in string validator, it 
> happened in blognamevalidator , too ...
> 
> Mark
> 
> > -----Original Message-----
> > From: plog-svn-bounces at devel.lifetype.net
> > [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon Daley
> > Sent: Wednesday, September 12, 2007 1:29 AM
> > To: LifeType Developer List
> > Subject: Re: [pLog-svn] BlogNameValidator() cause Chinese blog name 
> > error!
> >
> >  	You said, "if you use UTF8, it would be fixed".  But 
> then you said 
> > that it would show %xx%yy - is that acceptable?
> >  Does it actually show those characters in the URL, or does the 
> > browser/server change those back to "real" characters, that 
> look how 
> > you want?
> >
> >  	We need validation on input, and string validator doesn't count.
> > Can you write a validator that works for you, and doesn't allow SQL 
> > injections?
> > 
> > On Wed, 12 Sep 2007, Mark Wu wrote:
> > 
> > > As you said, the issue is every where in lifetype when we
> > convert the
> > > string
> > to a valid url, for example,  {xxxname}  in custom url. It is a old 
> > problem.
> > :(
> > 
> > That's why  most China/Taiwan user use {xxxid} instead of 
> {xxxname} in 
> > custom url
> > 
> > ** I raised this issue before, I said maybe we have to add 
> xx_slug for 
> > every object that need to urlized. But we all agreed it is 
> not a good 
> > idea to add xxx_slug to XX objects. :)
> > 
> > And, yes, the issue can be fixed, if we only use the utf8 ...
> > 
> > After we urlize the chinese sentense (encode the string to
> > utf8)  , the string will become %xx%yy%zz .
> > 
> > The  "%xx%yy%zz" can use in url path without any problem, but not 
> > works in domain name ... That's another issue.
> > 
> > Therefore I said it can't be fixed. :(
> > 
> > Mark
> > 
> > > -----Original Message-----
> > > From: plog-svn-bounces at devel.lifetype.net
> > > [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of 
> Jon Daley
> > > Sent: Wednesday, September 12, 2007 12:51 AM
> > > To: LifeType Developer List
> > > Subject: Re: [pLog-svn] BlogNameValidator() cause Chinese 
> blog name 
> > > error!
> > >
> > >  	I understand that it returns an empty string, but the
> > problem isn't
> > > in the blognamevalidator, but in urlize and domainize,
> > which are used
> > > in other places in the code.  Don't you have issues elsewhere?
> > > 
> > > On Wed, 12 Sep 2007, Mark Wu wrote:
> > > 
> > > > Hi Jon:
> > > 
> > > Agreed.
> > > 
> > > But, I don't think it can be fixed if we use domainze()
> > function. It
> > > is because the  domainize() and urlize() will remove some invalid 
> > > characters that not allowed in url.
> > > 
> > > Sometimes, the whole Chinese sentence after domainize() or
> > urlize will
> > > return empty string, or the same string as another
> > different Chinese
> > > sentence.
> > > 
> > > Take the Chinese sentence "台北教會" for example, It means "church in 
> > > Taipei". After domainze(), it will return EMPTY string. So,
> > user can
> > > not create new blog .....
> > > 
> > > That's why I said I have to change it back to string
> > validator ONLY IF
> > > the blog admin does not enable subdomain or blogdomain.
> > > 
> > > Or the most Chinese user can not add new blog at this
> > moment , it is
> > > really not good.
> > > 
> > > ** The best way to solve this is add a blog_slug to 
> blogInfo, it is 
> > > different to blog name. It can avoid all this kind of problem.
> > > 
> > > Mark
> > > 
> > > > -----Original Message-----
> > > > From: plog-svn-bounces at devel.lifetype.net
> > > > [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of
> > Jon Daley
> > > > Sent: Tuesday, September 11, 2007 9:24 PM
> > > > To: LifeType Developer List
> > > > Subject: Re: [pLog-svn] BlogNameValidator() cause Chinese
> > blog name
> > > > error!
> > > >
> > > >  	I don't think changing it to string validator is the
> > > right answer,
> > > > since we use urlize and domainize other places, so if they
> > > are broken
> > > > for chinese characters, they need to be fixed, otherwise,
> > you will
> > > > have issues in other places too.
> > > >  	A string validator doesn't do anything, so we can't
> > > count on that to
> > > > actually validate the data.
> > > > 
> > > > On Tue, 11 Sep 2007, Mark Wu wrote:
> > > > 
> > > > > Hi Oscar & Jon:
> > > > >
> > > > > It seems the new BlogNameValidator will cause some error
> > > when user
> > > > > enter Chinese blog name.
> > > > >
> > > > > I am still checking on it, it seems the new
> > > > Textfilter::domanize() or
> > > > > Textfilter::urlize()  casue the error.
> > > > >
> > > > > If I can not fix this bug, I will change it back to string
> > > > validator
> > > > > if blog admin does not enable subdomain and blogdomain
> > > function. It
> > > > > can avoid this kind of problem.
> > > > >
> > > > > Mark
> > > > >
> > > > 
> > > > --
> > > > Jon Daley
> > > > http://jon.limedaley.com/
> > > > 
> > > > The real world is
> > > > a special case.
> > > > -- Horngren's Observation
> > > > _______________________________________________
> > > > pLog-svn mailing list
> > > > pLog-svn at devel.lifetype.net
> > > > http://limedaley.com/mailman/listinfo/plog-svn
> > > 
> > > _______________________________________________
> > > pLog-svn mailing list
> > > pLog-svn at devel.lifetype.net
> > > http://limedaley.com/mailman/listinfo/plog-svn
> > > 
> > > --
> > > Jon Daley
> > > http://jon.limedaley.com/
> > > 
> > > Keep your face to the sunshine and you cannot see the shadow.
> > > -- Helen Keller
> > 
> > _______________________________________________
> > pLog-svn mailing list
> > pLog-svn at devel.lifetype.net
> > http://limedaley.com/mailman/listinfo/plog-svn
> > 
> > --
> > Jon Daley
> > http://jon.limedaley.com/
> > 
> > The secret to programming is not intelligence,
> >    though of course that helps.
> > It is not hard work or experience, though they help, too.
> > The secret to programming is having smart friends.
> 
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
> 
> --
> Jon Daley
> http://jon.limedaley.com/
> 
> Use of excessive, unnecessary, commas, has always been,
>    one of my, pet peeves.

More information about the pLog-svn mailing list