Advanced search  

News:

cpg1.5.36 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.34 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Plugin data sanitization and the copyright symbol  (Read 4554 times)

0 Members and 1 Guest are viewing this topic.

gmc

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 599
    • GMC Design Photo Gallery
Plugin data sanitization and the copyright symbol
« on: October 08, 2013, 05:15:39 PM »

Playing with an idea for a plugin... and learning about plugins along the way.
One of the config variables is a text that I want to allow the inclusion of the copyright symbol © (©)

Following the doc for creating plugins, I have an admin.php file with a $sanitization_array for each of the inputs.
For this field - the contents are:
'plugin_plugin_name_variable_text' => array('type' => 'raw', 'regex' => '/^[A-Za-z&@;\.\xA9\xB8 ]+$/'),

From the sample regex input provided in the doc for text fields, I added as valid characters @ ; . and ASCII characters A9 (169) and B8 (184) as I found conflicting values for © (©) in the extended ASCII codes documented on web.

I can not get any form of the copyright symbol - whether copied © into the field - or represented by the ampersand copy ; notation to pass the regex validation...

(My main gallery is at http://gallery.gmcdesign.com - However I am playing on a sandbox that is inaccessible to the rest of the world... and of course admin access needed to use plugin manager.)

Thanks for any suggestions/ideas...
Greg
Logged
Thanks!
Greg
My Coppermine Gallery
Need a web hosting account? See my gallery for an offer for CPG Forum users.
Send me money

Joe Carver

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 1491
  • aka 'i-imagine'
    • Home Page
Re: Plugin data sanitization and the copyright symbol
« Reply #1 on: October 09, 2013, 01:22:08 AM »

Are you looking at what is going into the db? Is the character being encoded to © or &copy ?

If so, then use a replace function [str_replace], see:
http://php.net/manual/en/function.str-replace.php
and
http://www.w3schools.com/php/func_string_str_replace.asp

When I was trying to learn, some things like these seemed to help:
 
  • Use debug to your advantage
  • Run tests on parts of plugins as a custom footer or header - mistakes are less likely to beak everything
  • Visit the above sites for basic help

Logged
"My life has become an array of LEDs"

i-imagine.net - Artists Gallery <> My  Photo Gallery

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15082
Re: Plugin data sanitization and the copyright symbol
« Reply #2 on: October 09, 2013, 09:12:25 AM »

Please post the section of the docs where you found that sanitization example, as we usually use Inspekt for sanitizing user input in cpg1.5.x.
Logged

Niecher

  • LocalSupporter
  • Coppermine frequent poster
  • ***
  • Country: es
  • Offline Offline
  • Gender: Male
  • Posts: 191
Re: Plugin data sanitization and the copyright symbol
« Reply #3 on: October 09, 2013, 01:20:04 PM »

Hello gmc,

Would not it be easier to change the charset to ISO-8859-1 ?

I mean, for text field something like this:

Code: [Select]
< accept-charset="ISO-8859-1" >
Regards.
« Last Edit: October 09, 2013, 02:17:05 PM by Niecher »
Logged

gmc

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 599
    • GMC Design Photo Gallery
Re: Plugin data sanitization and the copyright symbol
« Reply #4 on: October 09, 2013, 06:50:01 PM »

Thank you all for the replies...

Are you looking at what is going into the db? Is the character being encoded to &#169; or &copy ?
...
  • Use debug to your advantage
  • Run tests on parts of plugins as a custom footer or header - mistakes are less likely to beak everything
  • Visit the above sites for basic help
Not getting to the point of updating the database - as the form input is failing sanitization...
But the install putting the actual copyright symbol in the db doesn't get properly displayed later - so have to use &copy; or a placeholder like (c) and replace later...
Still not even having simple text pass the regex test - still searching for my mistake.
All the checkbox, radio, and dropdown entries  work fine - just text giving me an issue.

Thanks for the reminder about debugger - it is a great tool.
And I use those sites regularly... :)

Please post the section of the docs where you found that sanitization example, as we usually use Inspekt for sanitizing user input in cpg1.5.x.
Following the "Plugin Writing: Tutorial, API" doc - section titled 'Sanitize form data & write to database'
http://documentation.coppermine-gallery.net/en/dev_plugin_api.htm#plugin_api_tutorial_config_sanitize
(the sanitization_array is defined just above that label... it is used at the label linked to.
It gives specific code it recommends using.  Does reference $superCage - so appears to be using Inspekt?
Gives code to process the input against a sanitization_array to validate ranges, characters, etc. That verification is where I am having issues...
Should I be using a different technique?

...
Would not it be easier to change the charset to ISO-8859-1 ?
...
Certainly may be an easier way... I was following the example using regex expressions and sanitization from the doc... Trying to be a 'good' programmer and reading/following the provided doc..  :D  Thanks for the suggestion.

Thanks again all!
Greg
Logged
Thanks!
Greg
My Coppermine Gallery
Need a web hosting account? See my gallery for an offer for CPG Forum users.
Send me money

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15082
Re: Plugin data sanitization and the copyright symbol
« Reply #5 on: October 10, 2013, 09:19:19 AM »

As I never used that code to sanitize input in my plugins, it's new to me and I don't have a working plugin to test it. I suggest to attach your plugin as-is to your next reply, so we can test it ourselves.
Logged

gmc

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 599
    • GMC Design Photo Gallery
Re: Plugin data sanitization and the copyright symbol
« Reply #6 on: October 11, 2013, 06:45:30 PM »

The good news... I found the issue... and can now properly validate the data.
The not so good news - there are a few errors in the plugin template referenced in the doc - but nothing that can't be easily fixed - just took time to find.

The doc used is at:
http://documentation.coppermine-gallery.net/en/dev_plugins.htm
and it's referenced subsections:
http://documentation.coppermine-gallery.net/en/dev_plugin_api.htm
http://documentation.coppermine-gallery.net/en/dev_plugin_steps.htm

Specifically http://documentation.coppermine-gallery.net/en/dev_plugin_steps.htm references a template to download in Step 1 - cpg1.5.x_plugin_template_v1.0.zip
2 links provided to download - both point to V1.0.
Viewing http://sourceforge.net/projects/coppermine/files/Plugins/1.5.x/ showed no newer version available..

The provided 'admin.php' file has 3 issues I've found:
Line 31 - Common code for validating Checkbox and Radio Button input.
Properly validates Checkbox - including the case of 'unchecked' where the variable isn't provided in the POSTed variables, but it does not properly handle Radio Button input for values BETWEEN MIN and MAX. - These are rejected.

Line 53 - Common code for validating 'raw' input - freeform text (the issue that started this thread)
The tests try to compare a 'regex_ok' value from $san_value array. The key in the array is actually 'regex' - causing all input to FAIL validation.

Line 63 - Common code for validating 'array' input - from dropdown menus on form
These tests also reference the 'regex_ok' key - but in this case causes any input to BYPASS validation and be accepted...

A logic change to the Checkbox/radio button and variable change in either the array definition or tests against it is needed to correct.
(I changed the tests as I initially only found the 'raw' error - then went searching for other uses - and found the 'array' error. Changing the tests is a code change... Changing the array is a doc change... Code change seemed easier  :) )

I extracted the User Interface portion of my plugin and have attached a zip file that addresses these issues... Line numbers don't match the template values above - as I made other changes from the template - but a search on **GMC will bring you to my comments/changes.
The plugin can be installed and configured to validate the changes. It will take no other actions (functions called by filters other than install/deinstall only return provided data unchanged.)
Has examples of Checkbox, Radio, Dropdown, and Text variables to validate those cases.

I've provided an updated admin.php in separate attachment (admin.zip) that could be used to fix these issues...
(Since it is a starting template for a new plugin writer... didn't leave old code or comment changes as I normally would - to avoid confusion... Also didn't update version - as they should start their plugin with 1.0.)

The only doc change would be links to new template - if a different download filename is used.
(Referenced in Step 1 of http://documentation.coppermine-gallery.net/en/dev_plugin_steps.htm)

Hope this helps the 'next person' trying to use the doc/samples to write a plugin.
Back to coding the real 'actions' I want done. :)

Thanks again to all.
(Didn't mark solved - as wanted to see if updates can be incorporated in provided template first.)

Greg
Logged
Thanks!
Greg
My Coppermine Gallery
Need a web hosting account? See my gallery for an offer for CPG Forum users.
Send me money

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15082
Re: Plugin data sanitization and the copyright symbol
« Reply #7 on: October 14, 2013, 01:37:08 PM »

Thanks for reporting those issues. I'll update the template plugin as suggested and also update the docs accordingly.
« Last Edit: October 14, 2013, 01:43:48 PM by Αndré »
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15082
Re: Plugin data sanitization and the copyright symbol
« Reply #8 on: October 14, 2013, 02:05:07 PM »

Docs have been updated in SVN revision 8609, plugin (inside the docs folder) has been updated in SVN revision 8611. Both changes will be available with the release of cpg1.5.26. The plugin file at the download repository has just been updated and is already available.
Logged

gmc

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 599
    • GMC Design Photo Gallery
Re: Re: Plugin data sanitization and the copyright symbol
« Reply #9 on: October 14, 2013, 05:24:43 PM »

Docs have been updated in SVN revision 8609, plugin (inside the docs folder) has been updated in SVN revision 8611. Both changes will be available with the release of cpg1.5.26. The plugin file at the download repository has just been updated and is already available.
Thank you... I've marked the topic as solved.
Logged
Thanks!
Greg
My Coppermine Gallery
Need a web hosting account? See my gallery for an offer for CPG Forum users.
Send me money
Pages: [1]   Go Up
 

Page created in 0.077 seconds with 19 queries.