FLUID-3006

Laurel A. Williams laurel.williams at utoronto.ca
Tue Jul 7 17:28:55 UTC 2009


Ok...I just rethought this and it wasn't a bug - so my checked in code 
needs to be reverted - I will do that.

Why it is not a bug:
I have written the validation code to set the values of the post 
variables to default values if any invalid data is submitted.
This is a reasonable technique because the variables should be posted 
automatically via selections on a web page, so shouldn't contain invalid 
data unless Justin and I make a mistake.
Therefore, the only source of invalid data would be someone attempting 
to hack or someone entering the url without posting any data.
If no data is posted, a 400 error is returned.
If data is posted but is invalid, it is ignored by our server side code, 
which returns a default minified version of infusion in this case.

Do you think this is a reasonable way to manage the validation issue?

Laurel

Laurel A. Williams wrote:
> The following JIRA addresses Colin's point below about 
> processPostVariables
> http://issues.fluidproject.org/browse/FLUID-3006
>
> I've committed the changes to address this (commit 7527) if Colin and 
> others would like to check it out.
>
> Laurel
>>>
>>> I notice that you always return true from your 
>>> processPostVariables() method, but then this value is checked in 
>>> case any errors occurred. Looks like a bug to me, or perhaps 
>>> something you haven't had a chance to implement yet.
>>>
>>> $successPost = processPostVariables();
>>> if (!$successPost)
>>> {
>>>     returnError("Cannot process input variables");
>>>     exit (1);
>>> }
> If you look carefully at processPostVariables line 37, you will note 
> that if the post variable does not exist, the function returns false. 
> However you are correct that I didn't check the other post variables 
> and return false if they had a problem. Thx for catching that.
>

-- 
Laurel A. Williams
Adaptive Technology Resource Centre
University of Toronto




More information about the fluid-work mailing list