Michael, Thanks for that. I did just read about this exact problem in the rails guide on security:
http://guides.rails.info/security.html#regularexpressions Chas Lemley On Thu, Feb 26, 2009 at 6:27 AM, Michael Graff <[email protected]> wrote: > > I recently implemented a system which stores DNS names, and writes out > DNS zone files. I found these to be rather useful tests: > > def test_name_with_newline_fails > z = Zone.new(:name => "test\nzone") > assert !z.valid? > assert z.errors.on(:name) > end > > def test_name_with_space_fails > z = Zone.new(:name => "test zone") > assert !z.valid? > assert z.errors.on(:name) > end > > When I use these zone names, I _always_ append a specific string, e.g. > '.example.com.' > > If someone creates a zone called "foo" I will call it > "foo.example.com." So, when I write out an A record, it would be > something like: > > puts "#{zone}.example.com. A #{address}" > > If the user happened to submit: "hacker\n@ NS > hacker-nameserver.example.com." -- we would have problems. > > I thought this regular expression would catch it: > > /^[a-zA-Z0-9\-\_\.]$/ > > and indeed it does catch spaces, random control characters... but not > newlines! Much to my surprise, I needed to use \A instead of ^ and \Z > instead of $. ^ matches the beginning of a _line_ and $ the end. \A > and \Z match the beginning and ends of STRINGS. > > Just a FYI, perhaps I am the only one out there who did not know this. > > --Michael > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
