You are here: Foswiki>Tasks Web>Item528 (22 Feb 2009, KennethLavrsen)Edit Attach

Item528: Code validation is weak in places

Priority: Urgent
Current State: Closed
Released In: 1.0.0
Target Release: patch
Applies To: Engine
Reported By: Foswiki:Main.CrawfordCurrie
Waiting For:
Last Change By: KennethLavrsen
There are couple of places in the core code where validation is weak.

Details available from a security team member on production of two valid forms of ID and a DNA test.

-- CrawfordCurrie - 20 Dec 2008

Would appreciate a review.

-- CrawfordCurrie - 21 Dec 2008

Enough; validation is much, much better now. New bugs must be treated as such.


Reviewed some, and struggled with distro:1a8232525df8 for a long time before coming to the conclusion that defusing isn't needed, and it has never been a security issue as perl won't allow this, unless ones uses re 'eval'.

I've fixed the unit test, as your badpattern was failing, and the test was wrong indeed, and I've added a bunch just to ensure we're not breaking basic things with the validatePattern. These tests might not be best in the Fn_SEARCH but they were so closely related to your badpattern that I felt it was best to put them there.

-- OlivierRaginel - 31 Dec 2008
Topic revision: r18 - 22 Feb 2009, KennethLavrsen
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy