Bug #36284 for Data-FormValidator: FV_eq

Thu May 29 14:54:16 2008 robert.stockdale [...] gmail.com - Ticket created

Subject:

FV_eq_with return value bug

The coderef returned by FV_eq_with returns true or false instead of the untainted param value.

Thu May 29 15:04:19 2008 mark [...] summersault.com - Correspondence added

Subject:	Re: [rt.cpan.org #36284] FV_eq_with return value bug
Date:	Thu, 29 May 2008 15:03:08 -0400
To:	bug-Data-FormValidator [...] rt.cpan.org
From:	Mark Stosberg <mark [...] summersault.com>

Show quoted text

> The coderef returned by FV_eq_with returns true or false instead of the > untainted param value.

And perhaps it shouldn't. Comparing that values are equal doesn't provide any assurance that either one is safe. The underlying tainting system is based on checking that values match safe patterns, which this constraint doesn't do. Therefore, it doesn't strike me as wise to fake untainting of the values here. The constraint also can't know which of the two inputs might be "safe", to pre-empt the suggestion that if one of the inputs is safe and they are equal, then the other input should be safe, too. If you'd like to discuss it further, I suggest doing so on the users mailing list, so you could get more perspectives besides my own. Mark

Thu May 29 15:04:23 2008 The RT System itself - Status changed from 'new' to 'open'

Mon Jun 16 11:51:29 2008 MARKSTOS [...] cpan.org - Taken

Mon Jun 16 11:52:26 2008 MARKSTOS [...] cpan.org - Correspondence added

Since there has been no further discussion, I'm taking my last comment as the final response, so am considering this bug rejected. Mark

Mon Jun 16 11:52:28 2008 MARKSTOS [...] cpan.org - Status changed from 'open' to 'rejected'

Bug #36284 for Data-FormValidator: FV_eq_with return value bug

Maintainer(s)' notes