[Mpuls-commits] r5654 - base/trunk/mpulsweb/lib

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Thu Nov 24 16:31:49 CET 2011 

Author: bh
Date: 2011-11-24 16:31:48 +0100 (Thu, 24 Nov 2011)
New Revision: 5654

Modified:
   base/trunk/mpulsweb/lib/validators.py
Log:
Validate typelist and phase more strictly in EvaluationFormValidator.
The values are actually ints, but the code that currently uses the
values expects them to be string-objects. Not allowing arbitrary strings
can help prevent SQL injections. The typelist and phase parameter are
not injection vectors currently, though, as far is I can tell.


Modified: base/trunk/mpulsweb/lib/validators.py
===================================================================
--- base/trunk/mpulsweb/lib/validators.py	2011-11-24 14:35:26 UTC (rev 5653)
+++ base/trunk/mpulsweb/lib/validators.py	2011-11-24 15:31:48 UTC (rev 5654)
@@ -8,7 +8,7 @@
 from formencode import ForEach, All
 from formencode.validators import Bool, Int, String, FieldsMatch, \
      StringBoolean, DateConverter, TimeConverter, FormValidator, MaxLength, \
-     FileUploadKeeper, OneOf, Wrapper
+     FileUploadKeeper, OneOf, Wrapper, Regex
 
 from pylons import app_globals as g
 from mpulsweb.lib.translation import _
@@ -692,9 +692,15 @@
     end_date = MyDateConverter(not_empty=True, if_missing='',
                                month_style='dd.mm.jjjj')
 
-    typelist = ForEach(String(), convert_to_list=True)
+    # FIXME: typelist and phase are actually lists of ints, not lists of
+    # strings. Unfortunately, we cannot just convert the list items to
+    # ints because there is code that expects them to be
+    # strings. However, the least we can and should do is verify that
+    # the values look like int literals.
+    typelist = ForEach(Regex("^-?[0-9]+$"), convert_to_list=True)
+    phase = ForEach(Regex("^-?[0-9]+$"), convert_to_list=True)
+
     type_ending = ForEach(Int(), convert_to_list=True)
-    phase = ForEach(String(), convert_to_list=True)
     show_percent = Bool(if_missing=False)
     selected_ids = Wrapper(to_python=lambda s: [int(item)
                                                 for item in s.split()],

More information about the Mpuls-commits mailing list