#1131: Different AgaviNumberValidator bugs and improvements
---------------------------+------------------------------------------------
Reporter: Dennis Meckel | Owner: dominik
Type: defect | Status: new
Priority: high | Milestone: 1.0.2
Component: validation | Version: 1.0.1
Severity: major | Keywords: hardening
Has_patch: 1 |
---------------------------+------------------------------------------------
I am sorry for packing multiple issues into one ticket but i wrote a patch
which covers all discovered issues.
Issues:
1) input is loaded as reference (see ticket #1130 )
2) "type" parameter lacks support of "double", while "cast_to" supports
both "float" and "double" as value
3) it is possible that the validator mistakenly verifies a value as valid
while it is not from type integer or float (like "+1e1" or " +1e1"
(whitespace + scientific notation) - i do not think that the
NumberValidator has to do the work which a MathValidator or
ScientificValidator should do)
Solutions:
1) validate a copy of the input
2) introduce "double" as alternative value to "float" (for the sake of
completeness)
3) to fix this issue i would recommend to introduce a strict validation
mode (value and type validation) which should be enabled by default
Additionally i added some features which harden the validator and could be
useful:
Agavi does not yet allow or disallow optional positive signs. I found it
useful to disable the positive signs in some cases, for instance routing.
i know, it is possible to define a route which does only allow the numbers
[0-9]+, but i am interested into full hardened validators.
My patch also includes:
ADD: description for the "no_locale" parameter (Agavi lacks the
description)
ADD: description for the "in_locale" parameter (Agavi lacks the
description)
ADD: description for the "cast_to" parameter (Agavi lacks the
description)
BUG: Agavi is not able to disallow optional signs
FIX: introduced "sign_plus" parameter for hardening the accepted numbers.
"sign_plus" allows or disallows the use of the plus sign in front of
positive numbers. the supported parameters are "forbidden" (default),
"optional" and "required"
CHG: when enabling Agavi's translation the number localization gets
enabled
by default. This does not go well with the Hardened Project's goal.
FIX: localization got disabled (parameter "no_locale"="true") by default.
if you want to accept number localization just set
"no_locale"="false".
It seems that AgaviDecimalFormatter has a bug which affects the
AgaviNumberValidator (and my patched version) when numbers are converted
to (integer) or (float) from some locales. I will report the issue in
another ticket.
--
Ticket URL: <http://trac.agavi.org/ticket/1131>
Agavi <http://www.agavi.org/>
An MVC Framework for PHP5
_______________________________________________
Agavi Tickets Mailing List
[email protected]
http://lists.agavi.org/mailman/listinfo/tickets
