The downstream implications of _any_ failing validator are very serious. I've not looked at this specific validator, but if its allowing extra string data into a valid context, it could lead to exploitable circumstances [sql injection, buffer overrun, etc]
KevinP.S. This issue, again, underscores how the project does not have sufficient policy in place for security issues and patch distribution.
Thomas Weidner wrote:
Feel free to add a feature request to jira for thi new feature. http://framework.zend.com/issues/browse/ZF Greetings Thomas Weidner, I18N Team Leader, Zend Framework http://www.thomasweidner.com----- Original Message ----- From: "Joachim Knust" <[EMAIL PROTECTED]>To: <[email protected]> Sent: Tuesday, June 10, 2008 5:44 PM Subject: [fw-general] Zend_Validate_IpHello!I'd like to use Zend_Validate_Ip to check if some input strings are - surprise - valid IP addresses. When I got some problems with strings like "192.168.34" or "192.168.34.234 asdf" which evaluated to true, I had a look into apidocs and found:"Returns true if and only if $value is a valid IP address"Both example strings are not valid IP address, in my oppinion. Internally ip2long is used to do the checking, which accepts a lot more than just "valid IP addresses".Is this intended behaviour or is it a bug and may change in the future? Regards -joachim knust
-- Kevin McArthur StormTide Digital Studios Inc. Author of the recently published book, "Pro PHP" http://www.stormtide.ca
smime.p7s
Description: S/MIME Cryptographic Signature
