[dokuwiki] Re: auth backend: user filters
- From: Chris Smith <chris@xxxxxxxxxxxxx>
- To: dokuwiki@xxxxxxxxxxxxx
- Date: Mon, 27 Feb 2006 23:23:15 +0000
Andreas Gohr wrote:
Hi Matthias and Chris and *!
I'm working on the pgsql backend and have some questions on the filters
used to restrict the displayed users in the user manager.
Am I right the filters are taken in the usermanager without any
validation and given as is to getUserCount() ?
So the auth backend needs to sanitize those filter to make sure no bad
characters are slipped in ?
Chris you changed _constructPattern() in the plain backend to allow
regexps, correct? So I can use regexps to find users when using the
plain backend?
Matthias you use the following in _createSQLFilter() of the mysql
backend:
$tmp=addslashes('%'.mysql_real_escape_string($pattern,$this->dbcon).'%'
);
Two questions on that:
Why addslashes and mysql_real_escape_string? Shouldn't be one of them
enough?
Am I right you're allowing SQL wildcards like _ and % ?
General questions:
Should backends allow such an extended matching?
Shouldn't we better use simple (DOS-Style) globbing using '*' and '?'
which then is translated to regexps or SQL like syntax by the backend?
Andi
Andi,
The filters should be cleansed data, but the user manager may not clean
enough for a particular backend - different backends will have different
special characters and vulnerabilities, so a backend should test for
anything that could cause it particular problem.
My idea is that the filter expressions are resolved by the backend. So
if you wish to support full regexp you can, if you wish to support DOS
like wildcards you can. What a backend can support may be largely
dependent on the interface available for its data repository. Given a
single wiki is likely to have one backend and that even wiki farms are
likely to have similar auth mechanisms, I don't think its a problem from
the user point of view that the usermanager works in a slightly
different manner with different backends. The only people who are
likely to see that are devs who work on multiple backends.
I reckon that if a wiki has a large enough user base indepently managed
by the usermanager the admin would like the power of regexp.
Chris
--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist
- References:
- [dokuwiki] auth backend: user filters
- From: Andreas Gohr
Other related posts:
- » [dokuwiki] auth backend: user filters
- » [dokuwiki] Re: auth backend: user filters
- » [dokuwiki] Re: auth backend: user filters
- » [dokuwiki] Re: auth backend: user filters
- » [dokuwiki] Re: auth backend: user filters
- » [dokuwiki] Re: auth backend: user filters
- » [dokuwiki] Re: auth backend: user filters
Hi Matthias and Chris and *!
I'm working on the pgsql backend and have some questions on the filters used to restrict the displayed users in the user manager.
Am I right the filters are taken in the usermanager without any validation and given as is to getUserCount() ?
So the auth backend needs to sanitize those filter to make sure no bad characters are slipped in ?
Chris you changed _constructPattern() in the plain backend to allow regexps, correct? So I can use regexps to find users when using the plain backend?
Matthias you use the following in _createSQLFilter() of the mysql backend:
$tmp=addslashes('%'.mysql_real_escape_string($pattern,$this->dbcon).'%'
);Two questions on that:
Why addslashes and mysql_real_escape_string? Shouldn't be one of them enough?
Am I right you're allowing SQL wildcards like _ and % ?
General questions: Should backends allow such an extended matching? Shouldn't we better use simple (DOS-Style) globbing using '*' and '?' which then is translated to regexps or SQL like syntax by the backend?
Andi
- [dokuwiki] auth backend: user filters
- From: Andreas Gohr