Skip Menu |

This queue is for tickets about the Data-FormValidator CPAN distribution.

Maintainer(s)' notes

This is the bug queue for Data::FormValidator.

Report information
The Basics
Id: 44004
Status: resolved
Priority: 0/
Queue: Data-FormValidator
People
Owner: MARKSTOS [...] cpan.org
Requestors: matt.lawrence [...] virgin.net
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in:
  • 4.61
  • 4.62
  • 4.63
Fixed in: (no value)

History Show all quoted text
  Tue Mar 10 10:41:35 2009 matt.lawrence [...] virgin.net - Ticket created
Subject: untainted multiline fields in FV_length methods are truncated
The method used to untaint values in FV_length_* constraints will remove everything after the first newline. I've attached a patch which fixes the problem and provides additional tests.
Subject: untaint_fv_length.diff
--- lib/Data/FormValidator/Constraints.pm Sat Jan 3 17:12:02 2009 +++ lib/Data/FormValidator/Constraints.pm Tue Mar 10 14:29:29 2009 @@ -279,7 +279,7 @@ $dfv->name_this('length_between'); return undef if ( ( length($value) > $max ) || ( length($value) < $min) ); # Use a regexp to untaint - $value=~/(.*)/; + $value=~/(.*)/s; return $dfv->untainted_constraint_value($1); } } @@ -292,7 +292,7 @@ $dfv->name_this('max_length'); return undef if ( length($value) > $max ); # Use a regexp to untaint - $value=~/(.*)/; + $value=~/(.*)/s; return $dfv->untainted_constraint_value($1); } } @@ -305,7 +305,7 @@ $dfv->name_this('min_length'); return undef if ( length($value) < $min ); # Use a regexp to untaint - $value=~/(.*)/; + $value=~/(.*)/s; return $dfv->untainted_constraint_value($1); } } --- t/FV_length.t Sat Jan 3 17:12:02 2009 +++ t/FV_length.t Tue Mar 10 14:31:03 2009 @@ -41,7 +41,7 @@ # Test multi-line input: someone might be using this for a textarea or somesuch my $multiline_result = Data::FormValidator->check( - { + my $expect = { alpha => "apple\naeroplane\n", # 16 char beta => "bus\nbuffalo\n", # 12 char charlie => "cat\ncoconut\ncoffee\n", # 19 char @@ -52,6 +52,7 @@ }, { required => [qw/alpha beta charlie delta echo foxtrot golf/], + untaint_all_constraints => 1, constraint_methods => { alpha => FV_max_length(16), # max length beta => FV_max_length(11), # too long @@ -71,6 +72,11 @@ ok( $multiline_result->valid('echo'), 'multiline FV_length_between in bounds'); ok( $multiline_result->invalid('foxtrot'), 'multiline FV_length_between too short'); ok( $multiline_result->invalid('golf'), 'multiline FV_length_between too long' ); + +# check expected values for valid untainted fields +for my $field (qw( alpha charlie echo )) { + is( $multiline_result->valid($field), $expect->{$field}, "identity $field"); +} # Test "long" results. Early implementations checked length with # regular expressions which limit length options to 32kb.
  Tue Mar 10 11:04:21 2009 mark [...] summersault.com - Correspondence added
Subject: Re: [rt.cpan.org #44004] untainted multiline fields in FV_length methods are truncated
Date: Tue, 10 Mar 2009 11:03:32 -0400
To: bug-Data-FormValidator [...] rt.cpan.org
From: Mark Stosberg <mark [...] summersault.com>
Show quoted text
> The method used to untaint values in FV_length_* constraints will remove > everything after the first newline. > > I've attached a patch which fixes the problem and provides additional tests.
Great. Thanks for the contribution. It will appear in the next release, with credit to you. If only I had used the "msx" flags by default, as "Perl Best Practices" suggests. This isn't the first time I've been bitten by not having "/s" turned on. Thanks for including a full patch with code and tests! Mark
  Tue Mar 10 11:04:22 2009 The RT System itself - Status changed from 'new' to 'open'
  Thu Dec 10 05:16:17 2009 matt.lawrence [...] virgin.net - Correspondence added
Show quoted text
> Great. Thanks for the contribution. It will appear in the next > release, with credit to you.
Any news on this? Show quoted text
> If only I had used the "msx" flags by default, as "Perl Best > Practices" > suggests. > > This isn't the first time I've been bitten by not having "/s" turned > on.
There are other risks with always applying xms: "two words" !~ /\btwo words\b/xms Show quoted text
> > Thanks for including a full patch with code and tests! >
You're welcome Matt
  Thu Dec 10 10:10:03 2009 MARKSTOS [...] cpan.org - Taken
  Thu Dec 10 10:10:39 2009 MARKSTOS [...] cpan.org - Correspondence added
Thanks for the reminder. I thought I had released fix already but apparently I had not. I endeavor to do so soon. Mark
  Tue Dec 29 21:07:57 2009 MARKSTOS [...] cpan.org - Status changed from 'open' to 'patched'
  Wed Dec 30 22:28:04 2009 MARKSTOS [...] cpan.org - Correspondence added
Subject: released, thanks
Your contribution has been released as part of Data::FormValidator 4.65 which has just been sent to be CPAN. 

Thanks for your help maintaining the module!

There are still a few open bugs that could use patched if you'd like to continue to help maintaining the module:
http://rt.cpan.org/Public/Dist/Display.html?Name=Data::FormValidator

Your help is appreciated and I always like to give credit in the "Changes" file when I can. 

     Mark
  Wed Dec 30 22:28:05 2009 The RT System itself - Status changed from 'patched' to 'open'
  Wed Dec 30 22:28:06 2009 MARKSTOS [...] cpan.org - Status changed from 'open' to 'resolved'