On Fri, Jun 9, 2017 at 5:41 AM, sebb <seb...@gmail.com> wrote: > There are several locations in the Whimsy code where strings are > validated against > > /\A\w+\z/ > > This is applied to user names and LDAP group names / TLP ids. > > However \w does not include '-', which is used in the above ids. > > AFAICT, the main reason why the checks are done is to decide whether > to untaint or not. In which case, a generic RE such as > > /\A[-\w]+\z/ > > *should* be sufficient for both users and groups. > > However it might be good to define the RE as a library constant. > This would make it easy to change, as well as documenting what it is used for. > > Does that make sense? > > I think the constant would need to be defined in a stand-alone module > (i.e. not whimsy/asf) as the RE is needed in scripts that don't need > the rest of the asf library. > > Where should that be put?
If such a constant were placed in whimsy/asf/validation or somesuch, those scripts that require whimy/asf could get it automatically, and those that only need validation could require just this one part. - Sam Ruby
