--- Robert Leland <[EMAIL PROTECTED]> wrote: > David Graham wrote: > > >It is inherently insecure to reveal the specific details of password > >validation in client side scripting. Validator and Struts should be as > >secure as possible out of the box so I am -1 on this change. Please > >revert the changes until we come up with a better solution. Bugzilla > >isn't the easiest place to have this discussion so it might be better > >suited for commons-dev. > > > >I thought that the length was only revealed in the error message but it > is > >indeed shown in snippets like: > >this.maxlength='4'; this.minlength='4'; > > > >I agree that the best solution at the moment is not to use validator on > >password forms. > > > >David > > > > > Also the server side validations reveal max/min lengths, there. > Currently, the validator server side > validations are loosely coupled. A solution would be to prevent the user > > from using max/min length > checks either client or server side would increase coupling. One > possible attempt to solve this > by placing an optional attribute for the user to tell us that the field > is > a password so we could disallow maxlength or minlength would not work > because they would just > not mark the field as a 'password'. > > A proactive step might be to have the generated javascript create a > dialog if the field is a > 'password' field and it attempts to validate a max/minlength constraint. > > It would warn them that > validating max/min fields is discouraged. A client side validation would > > be allowed by setting parameter > in the <html:javascript> tag. This would catch both client side and > server side cases, given that javascript > is enabled. > > Generally though I believe it would be cleanest if the commons-validator > > didn't dictate what field types > could/could not be validated. This decision could be left up to the > enclosing framework, as I described > above.
Validator won't be dictating anything; it just won't validate password fields on the client side out of the box. Indeed, the options you mention above would be dictating behavior to the client. As we can see from the change you committed, adding password field checking is trivial. It should be the developer's conscious decision to patch the code and reveal password rules to the client, not Validator's. Quoting from http://jakarta.apache.org/site/mission.html part of every Apache project is, "security as a mandatory feature". We would violate this principal if we reveal password validation rules on the client side. The validation rules are only exposed if you use Struts' <html:javascript> tag on the form. You can still use Validator for password fields if you don't include javascript validation and use only server side checks. A warning in the Struts user's guide may be the best we can do because Validator has no real way of knowing what fields are passwords. I'm still -1 on this last commit for the reasons stated. Please revert this change to not validate password fields in the javascript. David > > >--- [EMAIL PROTECTED] wrote: > > > > > >>rleland 2003/10/06 20:00:15 > >> > >> Modified: > >>validator/src/javascript/org/apache/commons/validator/javascript > >> validateMaxLength.js validateMinLength.js > >> Log: > >> Bug#: 12473 > >> Let max/min length also cover passwords fields. > >> If users don't want the password min/max parameters > >> revealed then they shouldn't use the validator. > >> Currently in struts the min/max values are still > >> in the html, anyway. There is no easy/clean workaround. > >> > >> Just don't use validator. > >> > >> Revision Changes Path > >> 1.3 +4 -3 > >> > >> > >> > >jakarta-commons/validator/src/javascript/org/apache/commons/validator/javascript/validateMaxLength.js > > > > > >> > >> Index: validateMaxLength.js > >> =================================================================== > >> RCS file: > >> > >> > >> > >/home/cvs/jakarta-commons/validator/src/javascript/org/apache/commons/validator/javascript/validateMaxLength.js,v > > > > > >> retrieving revision 1.2 > >> retrieving revision 1.3 > >> diff -u -r1.2 -r1.3 > >> --- validateMaxLength.js 15 Aug 2003 20:22:03 -0000 1.2 > >> +++ validateMaxLength.js 7 Oct 2003 03:00:15 -0000 1.3 > >> @@ -13,6 +13,7 @@ > >> var field = form[oMaxLength[x][0]]; > >> > >> if (field.type == 'text' || > >> + field.type == 'password' || > >> field.type == 'textarea') { > >> > >> var iMax = parseInt(oMaxLength[x][2]("maxlength")); > >> > >> > >> > >> 1.4 +4 -3 > >> > >> > >> > >jakarta-commons/validator/src/javascript/org/apache/commons/validator/javascript/validateMinLength.js > > > > > >> > >> Index: validateMinLength.js > >> =================================================================== > >> RCS file: > >> > >> > >> > >/home/cvs/jakarta-commons/validator/src/javascript/org/apache/commons/validator/javascript/validateMinLength.js,v > > > > > >> retrieving revision 1.3 > >> retrieving revision 1.4 > >> diff -u -r1.3 -r1.4 > >> --- validateMinLength.js 15 Aug 2003 20:22:03 -0000 1.3 > >> +++ validateMinLength.js 7 Oct 2003 03:00:15 -0000 1.4 > >> @@ -13,6 +13,7 @@ > >> var field = form[oMinLength[x][0]]; > >> > >> if (field.type == 'text' || > >> + field.type == 'password' || > >> field.type == 'textarea') { > >> > >> var iMin = parseInt(oMinLength[x][2]("minlength")); > >> > >> > >> > >> > >>--------------------------------------------------------------------- > >>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>For additional commands, e-mail: [EMAIL PROTECTED] > >> > >> > >> > > > > > >__________________________________ > >Do you Yahoo!? > >The New Yahoo! Shopping - with improved product search > >http://shopping.yahoo.com > > > >--------------------------------------------------------------------- > >To unsubscribe, e-mail: [EMAIL PROTECTED] > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
