Re: [fw-general] Zend_Validate_Ip

Tue, 10 Jun 2008 11:59:41 -0700 

I'm not the one to blame as I am not the author of Zend_Validate.
But I think it's always better to write a issue regardless of what the type is set "new" or "improvement" or "bug" or "problem" or "whatever", than discussing here how the author meant his implementation. 

Maybe he made a problem in the api doc, maybe in his implementation.
Only the author knows this.
Related to your PS, this shows only that the author has not wrote the right unit tests. Because this is true for this particular component does not mean that it's true for the complete framework. But it's always easier to complain about the failures of others. I understand this. :-) 

Greetings
Thomas Weidner, I18N Team Leader, Zend Framework
http://www.thomasweidner.com
----- Original Message ----- From: "Kevin McArthur" <[EMAIL PROTECTED]> 
Cc: <fw-general@lists.zend.com>
Sent: Tuesday, June 10, 2008 8:39 PM
Subject: Re: [fw-general] Zend_Validate_Ip
If invalid ip strings are confirmed as passing validation then this should not be logged as a 'new feature' request, but something handled by whomever is considered the security team these days -- probably with a quick point/patch release and a security advisory.
The downstream implications of _any_ failing validator are very serious. I've not looked at this specific validator, but if its allowing extra string data into a valid context, it could lead to exploitable circumstances [sql injection, buffer overrun, etc] 

Kevin
P.S. This issue, again, underscores how the project does not have sufficient policy in place for security issues and patch distribution. 

Thomas Weidner wrote:

Feel free to add a feature request to jira for thi new feature.
http://framework.zend.com/issues/browse/ZF

Greetings
Thomas Weidner, I18N Team Leader, Zend Framework
http://www.thomasweidner.com
----- Original Message ----- From: "Joachim Knust" <[EMAIL PROTECTED]> 
To: <fw-general@lists.zend.com>
Sent: Tuesday, June 10, 2008 5:44 PM
Subject: [fw-general] Zend_Validate_Ip



Hello!
I'd like to use Zend_Validate_Ip to check if some input strings are - surprise - valid IP addresses. When I got some problems with strings like "192.168.34" or "192.168.34.234 asdf" which evaluated to true, I had a look into apidocs and found: 

"Returns true if and only if $value is a valid IP address"
Both example strings are not valid IP address, in my oppinion. Internally ip2long is used to do the checking, which accepts a lot more than just "valid IP addresses". 

Is this intended behaviour or is it a bug and may change  in the future?

Regards
-joachim knust







--

Kevin McArthur

StormTide Digital Studios Inc.
Author of the recently published book, "Pro PHP"
http://www.stormtide.ca

Reply via email to