Item11501: Initial code for validation

Currently performs validation ala RFC 3514. Needs some better intelligence than expecting users to say their entry is evil. Also needs to be incorporated into BulkRegistration. git-svn-id: http://svn.foswiki.org/branches/Release01x01@13904 0b4bb1d4-4e5a-0410-9cc4-b2b747904278
foswiki · Feb 3, 2012 · 928342d · 928342d
1 parent daac433
commit 928342d
Show file tree

Hide file tree

Showing 4 changed files with 68 additions and 11 deletions.
diff --git a/TopicUserMappingContrib/lib/Foswiki/Users/TopicUserMapping.pm b/TopicUserMappingContrib/lib/Foswiki/Users/TopicUserMapping.pm
@@ -1496,6 +1496,27 @@ sub passwordError {
     return $this->{passwords}->error();
 }
 
+=begin TML
+
+---++ ObjectMethod validateRegistrationField($field, $value ) -> $string
+
+Returns a string containing the sanitized registration field, or can throw an oops
+if the field contains illegal data to block the registration.
+
+returns the string unchanged if no issue found.
+
+=cut
+
+sub validateRegistrationField {
+
+    #my ($this, $field, $value) = @_;
+
+    throw Error::Simple('Failed to add user: EVIL detected')
+      if ( $_[2] =~ m/evil/i );
+
+    return $_[2];
+}
+
 # TODO: and probably flawed in light of multiple cUIDs mapping to one wikiname
 sub _cacheUser {
     my ( $this, $wikiname, $login ) = @_;

diff --git a/core/lib/Foswiki/UI/Register.pm b/core/lib/Foswiki/UI/Register.pm
@@ -208,6 +208,7 @@ sub bulkRegister {
     #-- Process each row, generate a log as we go
     for ( my $n = 0 ; $n < scalar(@data) ; $n++ ) {
         my $row = $data[$n];
+
         $row->{webName} = $userweb;
 
         unless ( $row->{WikiName} ) {
@@ -267,6 +268,14 @@ sub _registerSingleBulkUser {
     }
 
     try {
+
+  #SMELL: Field Validations
+  # foreach my $field ( %$row ) {
+  #  - validate with Users::validateRegistrationField( $field, $row->{$field} );
+  #  - catch any errors to log
+  # Note, do this HERE and not in _validateRegistration.
+  # CGI registration validates earlier in _getDataFromQuery()
+
         _validateRegistration( $session, $row, 0 );
     }
     catch Foswiki::OopsException with {
@@ -371,7 +380,7 @@ sub _innerRegister {
     my ($session) = @_;
 
     my $query = $session->{request};
-    my $data = _getDataFromQuery( $query, $query->param() );
+    my $data = _getDataFromQuery( $session->{users}, $query, $query->param() );
 
     $data->{webName} = $session->{webName};
 
@@ -399,7 +408,7 @@ sub _requireVerification {
     my $topic = $session->{topicName};
     my $web   = $session->{webName};
 
-    my $data = _getDataFromQuery( $query, $query->param() );
+    my $data = _getDataFromQuery( $session->{users}, $query, $query->param() );
     my $oldName = $data->{WikiName};
     $data->{WikiName} =
       Foswiki::Sandbox::untaint( $data->{WikiName},
@@ -685,6 +694,8 @@ sub addUserToGroup {
         #next if ( $u eq '' );
         $u = '' if ( $u eq '<none>' );
 
+        $u = $session->{users}->validateRegistrationField( 'username', $u );
+
         next
           if ( Foswiki::Func::isGroup($groupName)
             && Foswiki::Func::isGroupMember( $groupName, $u, { expand => 0 } )
@@ -816,7 +827,7 @@ sub _complete {
         _clearPendingRegistrationsForUser($code);
     }
     else {
-        $data = _getDataFromQuery( $query, $query->param() );
+        $data = _getDataFromQuery( $session->{users}, $query, $query->param() );
         $data->{webName} = $web;
     }
 
@@ -1534,6 +1545,7 @@ sub _loadPendingRegistration {
 }
 
 sub _getDataFromQuery {
+    my $users = shift;
     my $query = shift;
 
     # get all parameters from the form
@@ -1549,14 +1561,7 @@ sub _getDataFromQuery {
             # deal with multivalue fields like checkboxen
             my $value = join( ',', @values );
 
-            # Note: field values are unvalidated (and therefore tainted).
-            # This is because the registration code does not have enough
-            # information to validate the data - for example, it cannot
-            # know what the user mapper considers to be a valid login name.
-            # It is the responsibility of the implementation code to untaint
-            # these data before they are used in dangerous ways.
-            # DO NOT UNTAINT THESE DATA HERE!
-            $data->{$name} = $value;
+            $data->{$name} = $users->validateRegistrationField( $name, $value );
             push(
                 @{ $data->{form} },
                 {

diff --git a/core/lib/Foswiki/UserMapping.pm b/core/lib/Foswiki/UserMapping.pm
@@ -541,6 +541,24 @@ sub passwordError {
     return;
 }
 
+=begin TML
+
+---++ ObjectMethod validateRegistrationField($field, $value ) -> $string
+
+Returns a string containing the sanitized registration field, or can throw an oops
+if the field contains illegal data to block the registration.
+
+returns the string unchanged if no issue found.
+
+=cut
+
+sub validateRegistrationField {
+
+    #my ($this, $field, $value) = @_;
+
+    return $_[2];
+}
+
 1;
 __END__
 Foswiki - The Free and Open Source Wiki, http://foswiki.org/

diff --git a/core/lib/Foswiki/Users.pm b/core/lib/Foswiki/Users.pm
@@ -237,6 +237,19 @@ sub supportsRegistration {
 
 =begin TML
 
+---++ ObjectMethod validateRegistrationField ( $field, $value ) -> text
+
+Return the registration formfield sanitized by the mapper,  or oops thrown to block the registration.
+
+=cut
+
+sub validateRegistrationField {
+    my ($this) = shift;
+    return $this->{mapping}->validateRegistrationField(@_);
+}
+
+=begin TML
+
 ---++ ObjectMethod initialiseUser ($login) -> $cUID
 
 Given a login (which must have been authenticated) determine the cUID that