Bug in Class::DBI::Untaint
[prev] [thread] [next] [Date index for 2004/04/23]
From: Thomas Klausner
Subject: Bug in Class::DBI::Untaint
Date: 11:07 on 23 Apr 2004
Subject: Bug in Class::DBI::Untaint
Date: 11:07 on 23 Apr 2004
--9zSXsLTf0vkW971A
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Hi!
I found some buggy behaviour of Class::DBI::Untaint (running with CDBI
0.96_07), or maybe CGI::Untaint works a little bit different from what I'm
expecting..
I set up a class and do something like:
___PACKAGE__->columns(All => qw/itemid orders/);
___PACKAGE__->constrain_column(orders => Untaint => "integer");
I later cannot set orders to 0 because:
validate_column_values error: orders My::Order orders fails 'untaint'
constraint with '0'
The same happens with printable fields and an empty string.
I've attached a modified t/01.t from the CDBI::Untaint distribution that
shows this behaviour.
Unfortunatly, I now next to nothing about CDBI constraints or the
CGI::Untaint internals, so I couldn't provide a patch. If this is a bug and
not a mistake by me, BTW.
If it is a bug, I could take a look at solving it, if somebody (Tony?) gives
me a short hint on where to look..
--
-> Austrian Perl Workshop - 20th-22nd May - http://vienna.pm.org/ <-
#!/usr/bin/perl http://domm.zsi.at
for(ref bless{},just'another'perl'hacker){s-:+-$"-g&&print$_.$/}
--9zSXsLTf0vkW971A
Content-Type: application/x-troff
Content-Disposition: attachment; filename="01.t"
Content-Transfer-Encoding: quoted-printable
#!/usr/bin/perl -w=0A=0Ause strict;=0A=0Ause Test::More;=0A=0ABEGIN {=0A ev=
al "use DBD::SQLite";=0A plan $@ ? (skip_all =3D> 'needs DBD::SQLite for te=
sting') : (tests =3D> 8);=0A}=0A=0Apackage My::DBI;=0A=0Ause base 'Class::D=
BI';=0Ause Class::DBI::Untaint;=0A=0Ause File::Temp qw/tempfile/;=0Amy (und=
ef, $DB) =3D tempfile();=0Amy @DSN =3D ("dbi:SQLite:dbname=3D$DB", '', '', =
{ AutoCommit =3D> 1 });=0A=0AEND { unlink $DB if -e $DB }=0A=0A__PACKAGE__-=
>set_db(Main =3D> @DSN);=0A=0Apackage My::Order;=0A=0Ause base 'My::DBI';=
=0A=0A__PACKAGE__->table('orders');=0A__PACKAGE__->columns(All =3D> qw/item=
id orders description/);=0A__PACKAGE__->db_Main->do(=0A qq{=0A CREATE TABLE=
orders (=0A itemid INTEGER,=0A orders INTEGER,=0A descrip=
tion VARCHAR=0A )=0A});=0A__PACKAGE__->constrain_column(orders =3D> Untaint=
=3D> 'integer');=0A__PACKAGE__->constrain_column(description =3D> Untaint =
=3D> 'printable');=0A=0Apackage main;=0A=0A{=0A my $order =3D My::Order-=
>create({ itemid =3D> 10, orders =3D> 103 });=0A isa_ok $order =3D> "My:=
:Order";=0A=0A eval { $order->orders("foo") };=0A like $@, qr/fails '=
untaint' constraint/, "Can't set a string";=0A}=0A=0A{=0A my $order =3D =
eval { My::Order->create({ itemid =3D> 13, orders =3D> "ten" }) };=0A li=
ke $@, qr/fails 'untaint' constraint/, "Can't create with a string";=0A}=0A=
=0A{=0A my $order =3D My::Order->create({ itemid =3D> 16, orders=3D>5 })=
;=0A=0A eval { $order->orders(0) };=0A is($@,undef,'no error');=0A =
is($order->orders,0,'0 orders');=0A}=0A=0A{=0A my $order =3D My::Order-=
>create({ itemid =3D> 18, description=3D>'foo' });=0A $order->autoupdate=
(1);=0A is($order->description,'foo','description ok');=0A=0A eval {$=
order->description('bar')};=0A is($order->description,'bar','description=
after update');=0A=0A eval {$order->description(undef)};=0A is($orde=
r->description,undef,'description empty after another update');=0A}=0A
--9zSXsLTf0vkW971A--
 |
Bug in Class::DBI::Untaint
|
|
 |
Re: Bug in Class::DBI::Untaint
|
|
|
|
Re: Bug in Class::DBI::Untaint
|