Skip Menu |

This queue is for tickets about the Class-DBI-Untaint CPAN distribution.

Report information
The Basics
Id: 12334
Status: resolved
Priority: 0/
Queue: Class-DBI-Untaint
People
Owner: Nobody in particular
Requestors: domm [...] zsi.at
Cc:
AdminCc:
Bug Information
Severity: Important
Broken in: 0.01
Fixed in: (no value)

History Show all quoted text
  Tue Apr 19 04:34:22 2005 domm [...] cpan.org - Ticket created
Subject: '0' does not untaint as an integer
Hi! When using Class::DBI::Untaint and constraining a column to an integer, CDBI::Untaint raises a validate_column_values error if you pass a 0 (zero) to the restricted column. The attached patch consists of a test case that fails with Class-DBI-Untaint-0.01 and a patch to Untaint.pm that removes the bug. I'm not sure if the real root of the bug might be in CGI::Untaint, though...
diff -r Class-DBI-Untaint-0.01/lib/Class/DBI/Untaint.pm domm_Class-DBI-Untaint-0.01/lib/Class/DBI/Untaint.pm 14c14,20 < CGI::Untaint->new({ $col => +shift })->extract("-as_$type" => $col); --- > my $val=shift; > my $rv=CGI::Untaint->new({ $col => $val })->extract("-as_$type" => $col); > return $rv if $rv; > if ($type eq 'integer') { > return 1 if $val eq '0'; > } > return; diff -r Class-DBI-Untaint-0.01/t/01.t domm_Class-DBI-Untaint-0.01/t/01.t 9c9 < plan $@ ? (skip_all => 'needs DBD::SQLite for testing') : (tests => 3); --- > plan $@ ? (skip_all => 'needs DBD::SQLite for testing') : (tests => 4); 50a51,54 > > my $order3 = eval { My::Order->create({ itemid => 14, orders => 0 }) }; > isa_ok $order3 => "My::Order"; >
  Tue Apr 19 06:20:28 2005 domm [...] cpan.org - Correspondence added
From: domm [...] zsi.at
[DOMM - Tue Apr 19 04:34:22 2005]: Show quoted text
> The attached patch consists of a test case that fails with Class-DBI- > Untaint-0.01 and a patch to Untaint.pm that removes the bug.
Argh, the previously attached patch does not work with eg. untaint-type text and empty values. This patch should work with all untaint types...
diff -r Class-DBI-Untaint-0.01/lib/Class/DBI/Untaint.pm domm_Class-DBI-Untaint-0.01/lib/Class/DBI/Untaint.pm 14c14,18 < CGI::Untaint->new({ $col => +shift })->extract("-as_$type" => $col); --- > my $val=shift; > my $rv=CGI::Untaint->new({ $col => $val })->extract("-as_$type" => $col); > return $rv if $rv; > return 1 unless $val; > return; diff -r Class-DBI-Untaint-0.01/t/01.t domm_Class-DBI-Untaint-0.01/t/01.t 9c9 < plan $@ ? (skip_all => 'needs DBD::SQLite for testing') : (tests => 3); --- > plan $@ ? (skip_all => 'needs DBD::SQLite for testing') : (tests => 4); 50a51,54 > > my $order3 = eval { My::Order->create({ itemid => 14, orders => 0 }) }; > isa_ok $order3 => "My::Order"; >
  Tue Sep 06 14:56:41 2005 TMTM [...] cpan.org - Correspondence added
Show quoted text
> When using Class::DBI::Untaint and constraining a column to an > integer, CDBI::Untaint raises a validate_column_values error if > you pass a 0 (zero) to the restricted column.
Good catch. Sorry it's taken me so long to get round to fixing this. Show quoted text
> The attached patch consists of a test case that fails with Class-DBI- > Untaint-0.01 and a patch to Untaint.pm that removes the bug. > I'm not sure if the real root of the bug might be in CGI::Untaint, > though...
No. It's definitely here. CGI::Untaint does the right thing. We're just checking the wrong thing from it. I've take a different approach to fixing it though. The return value from the constraint is now (!$h->error), which should always do the right thing. New version on its way to CPAN now. Thanks, Tony
  Tue Sep 06 14:56:43 2005 TMTM [...] cpan.org - Status changed from 'new' to 'resolved'