#1131: Different AgaviNumberValidator bugs and improvements
-------------------------------------+--------------------------------------
Reporter: mec...@… | Owner: dominik
Type: defect | Status: new
Priority: high | Milestone: 1.0.2
Component: validation | Version: 1.0.1
Severity: major | Keywords: hardening
Has_patch: 1 |
-------------------------------------+--------------------------------------
Description changed by david:
Old description:
> I am sorry for packing multiple issues into one ticket but i wrote a
> patch which covers all discovered issues.
>
> Issues:
>
> 1) input is loaded as reference (see ticket #1130 )
>
> 2) "type" parameter lacks support of "double", while "cast_to" supports
> both "float" and "double" as value
>
> 3) it is possible that the validator mistakenly verifies a value as valid
> while it is not from type integer or float (like "+1e1" or " +1e1"
> (whitespace + scientific notation) - i do not think that the
> NumberValidator has to do the work which a MathValidator or
> ScientificValidator should do)
>
> Solutions:
> 1) validate a copy of the input
>
> 2) introduce "double" as alternative value to "float" (for the sake of
> completeness)
>
> 3) to fix this issue i would recommend to introduce a strict validation
> mode (value and type validation) which should be enabled by default
>
> Additionally i added some features which harden the validator and could
> be useful:
>
> Agavi does not yet allow or disallow optional positive signs. I found it
> useful to disable the positive signs in some cases, for instance routing.
> i know, it is possible to define a route which does only allow the
> numbers [0-9]+, but i am interested into full hardened validators.
>
> My patch also includes:
>
> ADD: description for the "no_locale" parameter (Agavi lacks the
> description)
>
> ADD: description for the "in_locale" parameter (Agavi lacks the
> description)
>
> ADD: description for the "cast_to" parameter (Agavi lacks the
> description)
>
> BUG: Agavi is not able to disallow optional signs
>
> FIX: introduced "sign_plus" parameter for hardening the accepted numbers.
> "sign_plus" allows or disallows the use of the plus sign in front of
> positive numbers. the supported parameters are "forbidden"
> (default),
> "optional" and "required"
>
> CHG: when enabling Agavi's translation the number localization gets
> enabled
> by default. This does not go well with the Hardened Project's goal.
>
> FIX: localization got disabled (parameter "no_locale"="true") by default.
> if you want to accept number localization just set
> "no_locale"="false".
>
> It seems that AgaviDecimalFormatter has a bug which affects the
> AgaviNumberValidator (and my patched version) when numbers are converted
> to (integer) or (float) from some locales. I will report the issue in
> another ticket.
New description:
I am sorry for packing multiple issues into one ticket but i wrote a patch
which covers all discovered issues.
Issues:
1. input is loaded as reference (see ticket #1130)
1. "type" parameter lacks support of {{{double}}}, while {{{cast_to}}}
supports both {{{float}}} and {{{double}}} as value
1. it is possible that the validator mistakenly verifies a value as valid
while it is not from type integer or float (like "+1e1" or " +1e1"
(whitespace + scientific notation) - i do not think that the
{{{NumberValidator}}} has to do the work which a {{{MathValidator}}} or
{{{ScientificValidator}}} should do)
Solutions:
1. validate a copy of the input
1. introduce "double" as alternative value to "float" (for the sake of
completeness)
1. to fix this issue i would recommend to introduce a strict validation
mode (value and type validation) which should be enabled by default
Additionally i added some features which harden the validator and could be
useful:
Agavi does not yet allow or disallow optional positive signs. I found it
useful to disable the positive signs in some cases, for instance routing.
i know, it is possible to define a route which does only allow the numbers
{{{[0-9]+}}}, but i am interested into full hardened validators.
My patch also includes:
ADD:: description for the "no_locale" parameter (Agavi lacks the
description)
ADD:: description for the "in_locale" parameter (Agavi lacks the
description)
ADD:: description for the "cast_to" parameter (Agavi lacks the
description)
BUG:: Agavi is not able to disallow optional signs
FIX:: introduced "sign_plus" parameter for hardening the accepted
numbers. "sign_plus" allows or disallows the use of the plus sign in front
of positive numbers. the supported parameters are "forbidden" (default),
"optional" and "required"
CHG:: when enabling Agavi's translation the number localization gets
enabled by default. This does not go well with the Hardened Project's
goal.
FIX:: localization got disabled (parameter "no_locale"="true") by
default. if you want to accept number localization just set
"no_locale"="false".
It seems that {{{AgaviDecimalFormatter}}} has a bug which affects the
{{{AgaviNumberValidator}}} (and my patched version) when numbers are
converted to {{{(integer)}}} or {{{(float)}}} from some locales. I will
report the issue in another ticket.
--
--
Ticket URL: <http://trac.agavi.org/ticket/1131#comment:2>
Agavi <http://www.agavi.org/>
An MVC Framework for PHP5
_______________________________________________
Agavi Tickets Mailing List
[email protected]
http://lists.agavi.org/mailman/listinfo/tickets
