Skip Menu |

This queue is for tickets about the CGI-Untaint CPAN distribution.

Report information
The Basics
Id: 13501
Status: resolved
Priority: 0/
Queue: CGI-Untaint
People
Owner: Nobody in particular
Requestors: peterspeltz [...] yahoo.com
Cc:
AdminCc:
Bug Information
Severity: Important
Broken in: 1.25
Fixed in: (no value)

History Show all quoted text
  Fri Jul 01 12:46:31 2005 Guest - Ticket created
Subject: "No parameter for" handling is missing a case
Empty inputs on forms is a case of "No parameter for" that field. CGI programs (at least my modperl maypole ones) recieve '', empty strings, as values for empty fields on forms in their prameter hashes. As the test below demonstrates CGI::Untaint does not treat empty strings as a case of "No parameter for" that field. Repercussions of this have been overly discussed without much closure on mailing lists. Attached is a patch. Thanks, no_param.t -- #!/usr/bin/perl -w use Test::More tests => 7; use strict; use CGI; use CGI::Untaint; my $data = { name => "Bart Simpson", grade => '', # Forms return empty string for empty inputs age => '', count => undef, }; { my $q = CGI->new($data); ok my $h = CGI::Untaint->new($q->Vars), "Create the handler"; ok !defined(my $res = $h->extract("-as_printable" => 'grade')), "Extract '' as printable returns undef"; ok $h->error =~ /No parameter for/, "No parameter for 'grade'. \$h->error is '" . $h->error ."'"; ok !defined($res = $h->extract("-as_integer" => 'age')), "Extract '' as integer returns undef "; ok $h->error =~ /No parameter for/, "No parameter for 'age'. \$h->error is '" . $h->error ."'"; ok !defined($res = $h->extract("-as_integer" => 'count')), "Extract undef as integer returns undef "; ok $h->error =~ /No parameter for/, "No parameter for 'count'. \$h->error is '" . $h->error ."'"; }
--- Untaint.pm 2005-06-26 06:08:59.599753040 -0500 +++ Untaint.patched.pm 2005-06-26 06:08:47.031663680 -0500 @@ -163,9 +163,12 @@ # Do we have a sensible value? Check the default untaint for this # type of variable, unless one is passed. #---------------------------------------------------------------------- - defined(my $raw = $self->{__data}->{$field}) - or die "No parameter for '$field'\n"; + # No param if undefined or empty string + my $raw; + die "No parameter for '$field'\n" + if !defined($raw = $self->{__data}->{$field}) || $raw eq ''; + # 'False' values get returned as themselves with no warnings. # return $self->{__lastval} unless $self->{__lastval};
  Fri Jul 01 16:49:35 2005 tony [...] kasei.com - Correspondence added
Date: Fri, 1 Jul 2005 21:49:16 +0100
From: Tony Bowden <tony [...] kasei.com>
To: Guest via RT <bug-CGI-Untaint [...] rt.cpan.org>
Subject: Re: [cpan #13501] "No parameter for" handling is missing a case
RT-Send-Cc:
On Fri, Jul 01, 2005 at 12:46:32PM -0400, Guest via RT wrote: Show quoted text
> Empty inputs on forms is a case of "No parameter for" that field. > CGI programs (at least my modperl maypole ones) recieve '', empty strings, > as values for empty fields on forms in their prameter hashes. As the test > below demonstrates CGI::Untaint does not treat empty strings as a case of > "No parameter for" that field. Repercussions of this have been overly > discussed without much closure on mailing lists. Attached is a patch.
I am yet to be convinced that this is a bug. Show quoted text
> my $data = { > name => "Bart Simpson", > grade => '', # Forms return empty string for empty inputs > age => '', > count => undef, > }; > ok !defined(my $res = $h->extract("-as_printable" => 'grade')), > "Extract '' as printable returns undef";
This would not be correct behaviour. An empty string here is a valid printable string. Tony
  Sat Sep 03 17:05:40 2005 TMTM [...] cpan.org - Status changed from 'new' to 'resolved'