[pLog-svn] r6688 - plog/branches/lifetype-1.2/class/action

Jon Daley plogworld at jon.limedaley.com
Tue Jul 1 09:15:11 EDT 2008


 	I see your "useless to try again" point.  I think it might not be 
obvious to a non-hacker user why his search terms were invalid.

On Tue, 1 Jul 2008, Mark Wu wrote:

> If you show error message to user, then he will know "Ah, this system will
> filtering html, so it is useless if I try again"
>
> If you just let user do the search, the he will try another combination to
> see if our system will filter this.
>
> But, as I said. It is okay for me, if you want to change it back. Because we
> already filter it before use it.
>
> Mark
>
>> -----Original Message-----
>> From: plog-svn-bounces at devel.lifetype.net
>> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon Daley
>> Sent: Tuesday, July 01, 2008 9:02 PM
>> To: LifeType Developer List
>> Subject: Re: [pLog-svn] r6688 -
>> plog/branches/lifetype-1.2/class/action
>>
>>  	I am not sure what you mean about preventing the hacker
>> from trying again and again.  Since the input was correctly
>> filtered previously, either way, the hacker is stopped.  And
>> so, revision 6688 only changes the behavior for people who
>> are typing in HTML by accident - maybe pasting in code from
>> somewhere else?  I don't know exactly how a person would run
>> into this, but I had left the code the way it was, since I
>> thought it might be better to not change that behavior (I
>> guess really the same argument I am trying to make in the
>> custom field thread - I don't want to break something that
>> currently works for someone, provided I can still make LT secure).
>>
>> On Tue, 1 Jul 2008, Mark Wu wrote:
>>
>>> I have the same thought before.
>>>
>>> And after review the code, I think it is better if lifetype just
>>> reject it and ask user try again.
>>>
>>> Because it will show the warning message to users, and it
>> can prevent
>>> hacker try again and again.
>>>
>>> And it is okay for me, if you want to allow html here, because we
>>> already filter it before use it .
>>>
>>> Mark
>>>
>>>> -----Original Message-----
>>>> From: plog-svn-bounces at devel.lifetype.net
>>>> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon Daley
>>>> Sent: Tuesday, July 01, 2008 8:34 PM
>>>> To: LifeType Developer List
>>>> Subject: Re: [pLog-svn] r6688 -
>>>> plog/branches/lifetype-1.2/class/action
>>>>
>>>>  	Yeah, I wondered about this - I think there is a filter
>> later, and
>>>> so that's why I left it.  We should probably remove the
>> filter if we
>>>> aren't going to allow it at all.
>>>> Though when I thought about it, I thought the filter
>> solution was a
>>>> better one - so then the user doesn't get an error, but it
>> just does
>>>> the search.
>>>>
>>>> On Tue, 1 Jul 2008, mark at devel.lifetype.net wrote:
>>>>
>>>>> Author: mark
>>>>> Date: 2008-07-01 01:41:15 -0400 (Tue, 01 Jul 2008) New
>>>> Revision: 6688
>>>>>
>>>>> Modified:
>>>>>   plog/branches/lifetype-1.2/class/action/defaultaction.class.php
>>>>>   plog/branches/lifetype-1.2/class/action/searchaction.class.php
>>>>> Log:
>>>>> We should not allow the html in searchTerms.
>>>>>
>>>>> Modified:
>>>>> plog/branches/lifetype-1.2/class/action/defaultaction.class.php
>>>>>
>> ===================================================================
>>>>> ---
>>>> plog/branches/lifetype-1.2/class/action/defaultaction.cl
>>>> ass.php	2008-07-01 05:37:16 UTC (rev 6687)
>>>>> +++
>>>> plog/branches/lifetype-1.2/class/action/defaultaction.cl
>>>> ass.php	2008-07-01 05:41:15 UTC (rev 6688)
>>>>> @@ -30,7 +30,7 @@
>>>>>         {
>>>>> 			$this->BlogAction( $actionInfo, $request );
>>>>>
>>>>> -			$this->registerFieldValidator(
>>>> "searchTerms", new StringValidator( true ), true );
>>>>> +			$this->registerFieldValidator(
>>>> "searchTerms", new
>>>>> +StringValidator(), true );
>>>>> 			$this->registerFieldValidator(
>>>> "postCategoryId", new IntegerValidator(), true );
>>>>> 			$this->registerFieldValidator(
>>>> "postCategoryName", new StringValidator( ), true );
>>>>> 			$this->registerFieldValidator(
>>>> "userId", new IntegerValidator(),
>>>>> true );
>>>>>
>>>>> Modified:
>>>>> plog/branches/lifetype-1.2/class/action/searchaction.class.php
>>>>>
>> ===================================================================
>>>>> ---
>>>> plog/branches/lifetype-1.2/class/action/searchaction.cl
>>>> ass.php	2008-07-01 05:37:16 UTC (rev 6687)
>>>>> +++
>>>> plog/branches/lifetype-1.2/class/action/searchaction.cl
>>>> ass.php	2008-07-01 05:41:15 UTC (rev 6688)
>>>>> @@ -23,7 +23,7 @@
>>>>>             $this->BlogAction( $actionInfo, $request );
>>>>>
>>>>> 			// data validation
>>>>> -			$this->registerFieldValidator(
>>>> "searchTerms", new StringValidator( true ));
>>>>> +			$this->registerFieldValidator(
>>>> "searchTerms", new
>>>>> +StringValidator());
>>>>> 			$this->setValidationErrorView( new
>>>> ErrorView( $this->_blogInfo, "error_incorrect_search_terms" ));
>>>>>         }
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> pLog-svn mailing list
>>>>> pLog-svn at devel.lifetype.net
>>>>> http://limedaley.com/mailman/listinfo/plog-svn
>>>>>
>>>>
>>>> --
>>>> Jon Daley
>>>> http://jon.limedaley.com
>>>> ~~
>>>> There isn't any problem in child-rearing that cannot be
>> solved with
>>>> duct tape.
>>>> -- Alan Wagstaff
>>>> _______________________________________________
>>>> pLog-svn mailing list
>>>> pLog-svn at devel.lifetype.net
>>>> http://limedaley.com/mailman/listinfo/plog-svn
>>>
>>> _______________________________________________
>>> pLog-svn mailing list
>>> pLog-svn at devel.lifetype.net
>>> http://limedaley.com/mailman/listinfo/plog-svn
>>>
>>
>> --
>> Jon Daley
>> http://jon.limedaley.com
>> ~~
>> The real world is
>> a special case.
>> -- Horngren's Observation
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://limedaley.com/mailman/listinfo/plog-svn
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>

-- 
Jon Daley
http://jon.limedaley.com
~~
Nothing can be done
in one trip.
-- Snider


More information about the pLog-svn mailing list