[pLog-svn] r6688 - plog/branches/lifetype-1.2/class/action

Jon Daley plogworld at jon.limedaley.com
Tue Jul 1 09:01:50 EDT 2008 

 	I am not sure what you mean about preventing the hacker from 
trying again and again.  Since the input was correctly filtered 
previously, either way, the hacker is stopped.  And so, revision 6688 only 
changes the behavior for people who are typing in HTML by accident - maybe 
pasting in code from somewhere else?  I don't know exactly how a person 
would run into this, but I had left the code the way it was, since I 
thought it might be better to not change that behavior (I guess really the 
same argument I am trying to make in the custom field thread - I don't 
want to break something that currently works for someone, provided I can 
still make LT secure).

On Tue, 1 Jul 2008, Mark Wu wrote:

> I have the same thought before.
>
> And after review the code, I think it is better if lifetype just reject it
> and ask user try again.
>
> Because it will show the warning message to users, and it can prevent hacker
> try again and again.
>
> And it is okay for me, if you want to allow html here, because we already
> filter it before use it .
>
> Mark
>
>> -----Original Message-----
>> From: plog-svn-bounces at devel.lifetype.net
>> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon Daley
>> Sent: Tuesday, July 01, 2008 8:34 PM
>> To: LifeType Developer List
>> Subject: Re: [pLog-svn] r6688 -
>> plog/branches/lifetype-1.2/class/action
>>
>>  	Yeah, I wondered about this - I think there is a filter
>> later, and so that's why I left it.  We should probably
>> remove the filter if we aren't going to allow it at all.
>> Though when I thought about it, I thought the filter solution
>> was a better one - so then the user doesn't get an error, but
>> it just does the search.
>>
>> On Tue, 1 Jul 2008, mark at devel.lifetype.net wrote:
>>
>>> Author: mark
>>> Date: 2008-07-01 01:41:15 -0400 (Tue, 01 Jul 2008) New
>> Revision: 6688
>>>
>>> Modified:
>>>   plog/branches/lifetype-1.2/class/action/defaultaction.class.php
>>>   plog/branches/lifetype-1.2/class/action/searchaction.class.php
>>> Log:
>>> We should not allow the html in searchTerms.
>>>
>>> Modified:
>>> plog/branches/lifetype-1.2/class/action/defaultaction.class.php
>>> ===================================================================
>>> ---
>> plog/branches/lifetype-1.2/class/action/defaultaction.cl
>> ass.php	2008-07-01 05:37:16 UTC (rev 6687)
>>> +++
>> plog/branches/lifetype-1.2/class/action/defaultaction.cl
>> ass.php	2008-07-01 05:41:15 UTC (rev 6688)
>>> @@ -30,7 +30,7 @@
>>>         {
>>> 			$this->BlogAction( $actionInfo, $request );
>>>
>>> -			$this->registerFieldValidator(
>> "searchTerms", new StringValidator( true ), true );
>>> +			$this->registerFieldValidator(
>> "searchTerms", new
>>> +StringValidator(), true );
>>> 			$this->registerFieldValidator(
>> "postCategoryId", new IntegerValidator(), true );
>>> 			$this->registerFieldValidator(
>> "postCategoryName", new StringValidator( ), true );
>>> 			$this->registerFieldValidator(
>> "userId", new IntegerValidator(),
>>> true );
>>>
>>> Modified:
>>> plog/branches/lifetype-1.2/class/action/searchaction.class.php
>>> ===================================================================
>>> ---
>> plog/branches/lifetype-1.2/class/action/searchaction.cl
>> ass.php	2008-07-01 05:37:16 UTC (rev 6687)
>>> +++
>> plog/branches/lifetype-1.2/class/action/searchaction.cl
>> ass.php	2008-07-01 05:41:15 UTC (rev 6688)
>>> @@ -23,7 +23,7 @@
>>>             $this->BlogAction( $actionInfo, $request );
>>>
>>> 			// data validation
>>> -			$this->registerFieldValidator(
>> "searchTerms", new StringValidator( true ));
>>> +			$this->registerFieldValidator(
>> "searchTerms", new
>>> +StringValidator());
>>> 			$this->setValidationErrorView( new
>> ErrorView( $this->_blogInfo, "error_incorrect_search_terms" ));
>>>         }
>>>
>>>
>>> _______________________________________________
>>> pLog-svn mailing list
>>> pLog-svn at devel.lifetype.net
>>> http://limedaley.com/mailman/listinfo/plog-svn
>>>
>>
>> --
>> Jon Daley
>> http://jon.limedaley.com
>> ~~
>> There isn't any problem in child-rearing that cannot be
>> solved with duct tape.
>> -- Alan Wagstaff
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://limedaley.com/mailman/listinfo/plog-svn
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>

-- 
Jon Daley
http://jon.limedaley.com
~~
The real world is
a special case.
-- Horngren's Observation

More information about the pLog-svn mailing list