1 (edited by SiCo 2009-03-15 23:33)

Topic: User Inuput Validation

Shouldn't the users profile website field have some form of validation on it before it is put into the database? This and the MSN ect. id's don't validate to check it is a website url or an email address as required by these services.

Surely this leaves the fields open to abuse and makes them simple text fields so anyone can enter anything?

To fix this do I suggest it as a feature / bug or just make my own extension to do it?

Simon

2

Re: User Inuput Validation

Looking at even more of these settings there are tons that aren't remotely checked. For example you can set the users time zone to 999. I really think these should be addressed. Unfortunately I made the decision to use punbb before I discovered this so I am already half way through the migration.

I realise data is escaped but feel strongly that all data should only be with in the realms of what you are actually expecting it to be. If I can help let me know, I don't want to moan without offering help! Otherwise is it ok? Is it already in the todo list? What's the official view?

Simon

Re: User Inuput Validation

SiCo wrote:

To fix this do I suggest it as a feature / bug or just make my own extension to do it?

I don't think that it is a bug, but if you want you can create an extension to validate this information. I think, real members of forum are interested in stating the real and correct contact information about themselves in their profiles. Fake users will enter something useless in these fields, and you will notice this.

SiCo wrote:

Looking at even more of these settings there are tons that aren't remotely checked. For example you can set the users time zone to 999.

Yes, this defect persists. We will fix it.

4

Re: User Inuput Validation

Slavok wrote:

I don't think that it is a bug, but if you want you can create an extension to validate this information. I think, real members of forum are interested in stating the real and correct contact information about themselves in their profiles. Fake users will enter something useless in these fields, and you will notice this.

I don't think that is really a line of defence! If a user is there to cause trouble and finds a hole they will use it. You can't guarantee that everyone is genuine!

I believe it would be better to filter this input rather than relying on it being escaped before output then you have a double defence and I would of thought it's encouraging good programming practice.

Also with this in mind is the thought of a forms framework in mind? To make it easier to display and process form input. I was using Zend_Form for a bit and although it can be tricky to start it does make forms extremely easy and powerful. Just a thought.

Thanks for responding it's good to know a developer is listening!

Simon

5

Re: User Inuput Validation

Slavok wrote:

I don't think that it is a bug, but if you want you can create an extension to validate this information. I think, real members of forum are interested in stating the real and correct contact information about themselves in their profiles. Fake users will enter something useless in these fields, and you will notice this.

That is just pure poppycock. The first, most simple rule of security, is to validate all user input, where humanly possible. It should *never* be an extension or afterthought. When that input can be guaranteed to be of a predefined format, there is no excuse whatsoever for not validating it.

Unless you'd prefer that forum admins turn around and tell the scripters and spammers to stop being cocks and behave themselves? I'm sure they'd feel awfully ashamed at being berated and behave in a civilised manner.

Honestly Slavok, that response you posted belies belief.

Re: User Inuput Validation

There is a check for the url field: http://punbb.informer.com/trac/browser/ … e.php#L924

What do you mean saying 'validation'? It's easy to add an regex and a message 'invalid url'. If you mean this I'll add it to feature requests.

7

Re: User Inuput Validation

Parpalak wrote:

There is a check for the url field: http://punbb.informer.com/trac/browser/ … e.php#L924

What do you mean saying 'validation'? It's easy to add an regex and a message 'invalid url'. If you mean this I'll add it to feature requests.

It only checks and adds http:// I believe. Either way you can still add anything you like it will just prepend http:// to the front like: http://fdgfdgfbgfbf

I believe an invalid url message would be good, as with the Messenger / AIM etc they can only be email addresses (I think!) so force them to be. This should be the attitude to everything wherever there is input.

8

Re: User Inuput Validation

SiCo wrote:

I believe an invalid url message would be good, as with the Messenger / AIM etc they can only be email addresses (I think!) so force them to be. This should be the attitude to everything wherever there is input.

Validating e-mail isn't exactly easy to do.

With most of these values, I pretty much fail to see their importance. So someone enters a wrong homepage or wrong AIM - where's the harm? It only hurts him, nobody else.

Re: User Inuput Validation

If Messenger really looks like an e-mail, its validation can be easily added.

But I have an objection about the 'website' field. Forum can be installed for users of a LAN. Users may write there simply their computer names. A computer name doesn't have a form like '<something>.com' and will fail a validation.

10

Re: User Inuput Validation

pepak wrote:

Validating e-mail isn't exactly easy to do.

The old devs managed it perfectly well where 1.2 was concerned, so I see no reason why 1.3 should be any different.


pepak wrote:

With most of these values, I pretty much fail to see their importance. So someone enters a wrong homepage or wrong AIM - where's the harm? It only hurts him, nobody else.

The point is? The input is invalid. Pure and simple. Consequence is irrelevant.

11

Re: User Inuput Validation

Parpalak wrote:

But I have an objection about the 'website' field. Forum can be installed for users of a LAN. Users may write there simply their computer names. A computer name doesn't have a form like '<something>.com' and will fail a validation.

If an internal zone is set up incorrectly, that is not for PunBB to decide. A domain should be in the form of *.*. Only localhost is exempt from that rule.


Btw, in reference to your earlier post, sloppy, (or none, in this case, it seems), input validation is *never* a feature request. It is a bug.

Re: User Inuput Validation

MattF wrote:

If an internal zone is set up incorrectly, that is not for PunBB to decide. A domain should be in the form of *.*. Only localhost is exempt from that rule.

I think it's not only a question "how an internal zone should be set up", but it's also a question "how an internal zone of real users is set up". For example, IE6 doesn't follow standards, but this fact doesn't mean that Oxygen style must be free of hacks for IE6. I still doubt that we have to allow only URLs like *.*.

MattF wrote:

Btw, in reference to your earlier post, sloppy, (or none, in this case, it seems), input validation is *never* a feature request. It is a bug.

Sure. Probably, I've interpreted terms in a slightly different way.

13

Re: User Inuput Validation

MattF wrote:
pepak wrote:

Validating e-mail isn't exactly easy to do.

The old devs managed it perfectly well where 1.2 was concerned, so I see no reason why 1.3 should be any different.

I should have said "Validating e-mail properly"

pepak wrote:

With most of these values, I pretty much fail to see their importance. So someone enters a wrong homepage or wrong AIM - where's the harm? It only hurts him, nobody else.

The point is? The input is invalid. Pure and simple. Consequence is irrelevant.

Is it? And if he enters a semantically valid but non-existent ID, or ID belonging to someone else, then what? Should the system complain, too? Why bother?

If an internal zone is set up incorrectly, that is not for PunBB to decide. A domain should be in the form of *.*. Only localhost is exempt from that rule.

What if I don't use a domain for my webpage?

14

Re: User Inuput Validation

pepak wrote:

Is it? And if he enters a semantically valid but non-existent ID, or ID belonging to someone else, then what? Should the system complain, too? Why bother?

No the system shouldn't be concerned whether the data is actually accurate or correct in terms of meaning but it should be concerned with whether it is accurate and correct as far as the system needs it and expects. If some output is accidentally not escaped it could cause a bug. If someone enters some javascript commands that then run on your site. Where as if the data was properly screened before hand this could be avoided.

It's always possible to miss escaping sql input, or output no matter how good the development team are.

I see it as a line in the defences, backed up by escaping the sql and the output etc. It should be standard coding practice to check all input is at least within reasonable bounds.

15

Re: User Inuput Validation

SiCo wrote:

It's always possible to miss escaping sql input,

Actually, if developers (in general, not specifically of PunBB) finally started to use prepared statements, the whole problem of SQL injection would go away.

I see it as a line in the defences, backed up by escaping the sql and the output etc. It should be standard coding practice to check all input is at least within reasonable bounds.

I agree generally, but I do think that there are cases where rigorous validation isn't worth it. E-mail-like logins for various IM services are one such case.

16

Re: User Inuput Validation

pepak wrote:
SiCo wrote:

It's always possible to miss escaping sql input,

Actually, if developers (in general, not specifically of PunBB) finally started to use prepared statements, the whole problem of SQL injection would go away.

I believe you'll find that statement is incorrect, if I remember correctly. Prepared statements are, (from memory), an extra layer of protection but not a foolproof one. Besides, there is still no excuse for not parsing, sanitising and validating wherever humanly possible. Any other approach is plain old sloppiness where security is concerned, no matter how you phrase it. You cannot make a silk purse out of a sows ear. Period.


pepak wrote:

I see it as a line in the defences, backed up by escaping the sql and the output etc. It should be standard coding practice to check all input is at least within reasonable bounds.

I agree generally, but I do think that there are cases where rigorous validation isn't worth it. E-mail-like logins for various IM services are one such case.

Rigourous validation and sanitisation is *always* worth it. Any other approach is, inevitably, at some point in time, just putting up a big sign asking for problems.

If you wish to take the haphazard approach personally, then by all means do so. A project such as this should have no coding practices such as those inplace, however. Security is paramount.

17

Re: User Inuput Validation

MattF wrote:

I believe you'll find that statement is incorrect, if I remember correctly. Prepared statements are, (from memory), an extra layer of protection but not a foolproof one.

Only if you use them the same way you would use regular queries, which of course completely defeats their purpose and all their advantages.

pepak wrote:

I agree generally, but I do think that there are cases where rigorous validation isn't worth it. E-mail-like logins for various IM services are one such case.

Rigourous validation and sanitisation is *always* worth it. Any other approach is, inevitably, at some point in time, just putting up a big sign asking for problems.

I would appreciate if you kept to the arguments at hand. We were talking about validation. Now you add sanitization, which is a whole different matter: sanitization cleans data from possible malicious parts (and obviously needs to be done every time), validation only makes sure that it is formatted in a certain way (and experience shows that you will almost always find valid inputs which are formatted differently than you expected).

If you wish to take the haphazard approach personally, then by all means do so. A project such as this should have no coding practices such as those inplace, however. Security is paramount.

Is it? Really? There are great many avenues to improve security, but it could be argued that many of them increase it only marginally while increasing costs a lot. Or that some of these approaches would add more security and should be done first - e.g. those prepared queries, or different database account for administrators (EVERY database should have at least three users - owner, who can not login from the web server, admin, who can modify everything but can't e.g. drop tables or databases, and user, who can only read and write what's necessary for him to read). Input validation is nice to have, certainly, but its importance is relatively low if rigorous sanitization is done on output.

18

Re: User Inuput Validation

I was actually going to write an indepth reply to your post above, but realised I might as well try to plait snuff. Hence this shortened version.

You are perfectly entitled to your opinion. PunBB, however, shoud be sanitising, (which is perfectly relevant, might I add), and validating all input where possible. Simple fact. Crap in, crap out.

That is personally my last post on this subject. I can bang my head against a wall here if I'm feeling the urge, rather than responding further to your posts.