Skip Menu |

This queue is for tickets about the CGI-Untaint CPAN distribution.

Report information
The Basics
Id: 11796
Status: resolved
Priority: 0/
Queue: CGI-Untaint
People
Owner: Nobody in particular
Requestors: mreece [...] sacbee.com
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Mon Mar 07 15:00:36 2005 mreece [...] sacbee.com - Ticket created
Date: Mon, 07 Mar 2005 11:52:09 -0800
Subject: Bug with non-required params in Untaint+FromCGI
From: Michael Reece <mreece [...] sacbee.com>
To: <bug-CGI-Untaint [...] rt.cpan.org>
Greetings. It appears that in the latest release (1.25) of Untaint, the behavior for false values was changed. This is commented out: # 'False' values get returned as themselves with no warnings. # return $self->{__lastval} unless $self->{__lastval}; So now trying to untaint an empty printable field gives the error '() does not untaint with default pattern' However, Class::CGI::FromCGI does not deal with this well, and reports the error. I have patched this in FromCGI.pm's sub validate by changing if ($required{$field} and not $value) { $them->{_cgi_update_error}->{$field} = "You must supply '$field'" - } elsif ($err) { $them->{_cgi_update_error}->{$field} = $err unless $err =~ /^No parameter for/; } else { $fields->{$field} = $value } to: if ($required{$field} and not $value) { $them->{_cgi_update_error}->{$field} = "You must supply '$field'" + } elsif ($err && $value) { $them->{_cgi_update_error}->{$field} = $err unless $err =~ /^No parameter for/; } else { $fields->{$field} = $value } -- michael reece :: web engineer :: mreece@sacbee.com :: (916)321-1249
  Mon Mar 07 17:09:10 2005 tony [...] kasei.com - Correspondence added
Date: Mon, 7 Mar 2005 21:30:56 +0000
From: Tony Bowden <tony [...] kasei.com>
To: "mreece [...] sacbee.com via RT" <bug-CGI-Untaint [...] rt.cpan.org>
Subject: Re: [cpan #11796] Bug with non-required params in Untaint+FromCGI
RT-Send-Cc:
On Mon, Mar 07, 2005 at 03:00:36PM -0500, mreece@sacbee.com via RT wrote: Show quoted text
> So now trying to untaint an empty printable field gives the error '() does > not untaint with default pattern'
Not for me, it doesn't. Please send a self-contained test-case that exhibits this. Show quoted text
> However, Class::CGI::FromCGI does not deal with this well, and reports the > error.
You should send a bug report, ideally with a failing test, to the FromCGI CPAN bug address. Thanks, Tony
  Mon Mar 07 17:39:36 2005 Guest - Correspondence added
From: mreece [...] sacbee.com
[tony@kasei.com - Mon Mar 7 17:09:10 2005]: Show quoted text
> On Mon, Mar 07, 2005 at 03:00:36PM -0500, mreece@sacbee.com via RT wrote:
> > So now trying to untaint an empty printable field gives the error
'() does Show quoted text
> > not untaint with default pattern'
> > Not for me, it doesn't. > > Please send a self-contained test-case that exhibits this.
% cat test.pl #!/usr/bin/perl use CGI::Untaint; print "using package:\n"; system "head -4 " . $INC{'CGI/Untaint.pm'}; my %params = ( foo => 'bar', baz => ''); my $h = CGI::Untaint->new( %params ); foreach (keys %params) { print "\n$_ ($params{$_}) == ", $h->extract(-as_printable => $_), "\n"; print "error: ", $h->error, "\n"; } % perl test.pl using package: package CGI::Untaint; use vars qw/$VERSION/; $VERSION = '1.25'; foo (bar) == bar error: baz () == error: baz () does not untaint with default pattern Show quoted text
>
> > However, Class::CGI::FromCGI does not deal with this well, and
reports the Show quoted text
> > error.
> > You should send a bug report, ideally with a failing test, to the > FromCGI CPAN bug address. > > Thanks, > > Tony
The docs for that module list only your email address (Tony Bowden. <tmtm@kasei.com>). However, I will make a post to http://rt.cpan.org/NoAuth/Bugs.html?Dist=Class-DBI-FromCGI if i can come up with a simple test case, but it should be obvious from the test above.
  Tue Sep 20 17:49:36 2005 TMTM [...] cpan.org - Status changed from 'new' to 'resolved'
  Tue Sep 20 17:49:36 2005 TMTM [...] cpan.org - Correspondence added
[mreece@sacbee.com - Mon Mar 7 15:00:36 2005]: Show quoted text
> the behavior for false values was changed. This is commented out: > # return $self->{__lastval} unless $self->{__lastval}; > I have patched this in FromCGI.pm's sub validate by changing > + } elsif ($err && $value) {
Hi. Sorry for taking so long to fix this. The change in Untaint itself was a red herring here. The real issue is that the regex in printable.pm was checking for [\040-\377\r\n\t]+ I've changed that to [\040-\377\r\n\t]*, thus allowing zero length strings. New version on its way to CPAN now. Thanks, Tony