FLUID-3006
Laurel A. Williams
laurel.williams at utoronto.ca
Tue Jul 7 17:28:55 UTC 2009
Ok...I just rethought this and it wasn't a bug - so my checked in code
needs to be reverted - I will do that.
Why it is not a bug:
I have written the validation code to set the values of the post
variables to default values if any invalid data is submitted.
This is a reasonable technique because the variables should be posted
automatically via selections on a web page, so shouldn't contain invalid
data unless Justin and I make a mistake.
Therefore, the only source of invalid data would be someone attempting
to hack or someone entering the url without posting any data.
If no data is posted, a 400 error is returned.
If data is posted but is invalid, it is ignored by our server side code,
which returns a default minified version of infusion in this case.
Do you think this is a reasonable way to manage the validation issue?
Laurel
Laurel A. Williams wrote:
> The following JIRA addresses Colin's point below about
> processPostVariables
> http://issues.fluidproject.org/browse/FLUID-3006
>
> I've committed the changes to address this (commit 7527) if Colin and
> others would like to check it out.
>
> Laurel
>>>
>>> I notice that you always return true from your
>>> processPostVariables() method, but then this value is checked in
>>> case any errors occurred. Looks like a bug to me, or perhaps
>>> something you haven't had a chance to implement yet.
>>>
>>> $successPost = processPostVariables();
>>> if (!$successPost)
>>> {
>>> returnError("Cannot process input variables");
>>> exit (1);
>>> }
> If you look carefully at processPostVariables line 37, you will note
> that if the post variable does not exist, the function returns false.
> However you are correct that I didn't check the other post variables
> and return false if they had a problem. Thx for catching that.
>
--
Laurel A. Williams
Adaptive Technology Resource Centre
University of Toronto
More information about the fluid-work
mailing list