Michael,
Thanks for that. I did just read about this exact problem in the
rails guide on security:
http://guides.rails.info/security.html#regularexpressions
Chas Lemley
On Thu, Feb 26, 2009 at 6:27 AM, Michael Graff
<skan.gryphon-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:>
> I recently implemented a system which stores DNS names, and writes out
> DNS zone files. I found these to be rather useful tests:
>
> def test_name_with_newline_fails
> z = Zone.new(:name => "test\nzone")
> assert !z.valid?
> assert z.errors.on(:name)
> end
>
> def test_name_with_space_fails
> z = Zone.new(:name => "test zone")
> assert !z.valid?
> assert z.errors.on(:name)
> end
>
> When I use these zone names, I _always_ append a specific string, e.g.
> ''.example.com.''
>
> If someone creates a zone called "foo" I will call it
> "foo.example.com." So, when I write out an A record, it would be
> something like:
>
> puts "#{zone}.example.com. A #{address}"
>
> If the user happened to submit: "hacker\n@ NS
> hacker-nameserver.example.com." -- we would have problems.
>
> I thought this regular expression would catch it:
>
> /^[a-zA-Z0-9\-\_\.]$/
>
> and indeed it does catch spaces, random control characters... but not
> newlines! Much to my surprise, I needed to use \A instead of ^ and \Z
> instead of $. ^ matches the beginning of a _line_ and $ the end. \A
> and \Z match the beginning and ends of STRINGS.
>
> Just a FYI, perhaps I am the only one out there who did not know this.
>
> --Michael
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---