So lets get somewhere already.
How is the project going to respond to a validator that is letting tainted information into applications. Maybe Matthew, as architect, can respond on what Zend is doing to address this and other security disclosures with the framework?
KevinP.S. Far from complaining without action, I've tried to get this subject addressed, proactively, numerous times. I've been critical of the SVN externals distribution, critical of attempts to get a Zend Framework 'package' released for Linux distributions, and I've always brought up security issues with the development team as I've found them. We need some leadership and responsibility from Zend on the security policy.
Thomas Weidner wrote:
I'm not the one to blame as I am not the author of Zend_Validate.But I think it's always better to write a issue regardless of what the type is set "new" or "improvement" or "bug" or "problem" or "whatever", than discussing here how the author meant his implementation.Maybe he made a problem in the api doc, maybe in his implementation. Only the author knows this.Related to your PS, this shows only that the author has not wrote the right unit tests. Because this is true for this particular component does not mean that it's true for the complete framework. But it's always easier to complain about the failures of others. I understand this. :-)Greetings Thomas Weidner, I18N Team Leader, Zend Framework http://www.thomasweidner.com ----- Original Message ----- From: "Kevin McArthur" <[EMAIL PROTECTED]> Cc: <fw-general@lists.zend.com> Sent: Tuesday, June 10, 2008 8:39 PM Subject: Re: [fw-general] Zend_Validate_IpIf invalid ip strings are confirmed as passing validation then this should not be logged as a 'new feature' request, but something handled by whomever is considered the security team these days -- probably with a quick point/patch release and a security advisory.The downstream implications of _any_ failing validator are very serious. I've not looked at this specific validator, but if its allowing extra string data into a valid context, it could lead to exploitable circumstances [sql injection, buffer overrun, etc]KevinP.S. This issue, again, underscores how the project does not have sufficient policy in place for security issues and patch distribution.Thomas Weidner wrote:Feel free to add a feature request to jira for thi new feature. http://framework.zend.com/issues/browse/ZF Greetings Thomas Weidner, I18N Team Leader, Zend Framework http://www.thomasweidner.com----- Original Message ----- From: "Joachim Knust" <[EMAIL PROTECTED]>To: <fw-general@lists.zend.com> Sent: Tuesday, June 10, 2008 5:44 PM Subject: [fw-general] Zend_Validate_IpHello!I'd like to use Zend_Validate_Ip to check if some input strings are - surprise - valid IP addresses. When I got some problems with strings like "192.168.34" or "192.168.34.234 asdf" which evaluated to true, I had a look into apidocs and found:"Returns true if and only if $value is a valid IP address"Both example strings are not valid IP address, in my oppinion. Internally ip2long is used to do the checking, which accepts a lot more than just "valid IP addresses".Is this intended behaviour or is it a bug and may change in the future?Regards -joachim knust-- Kevin McArthur StormTide Digital Studios Inc. Author of the recently published book, "Pro PHP" http://www.stormtide.ca
-- Kevin McArthur StormTide Digital Studios Inc. Author of the recently published book, "Pro PHP" http://www.stormtide.ca
smime.p7s
Description: S/MIME Cryptographic Signature
