Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

add documentation for the security-related update of validates_format_of

Conflicts:

	activemodel/CHANGELOG.md
	activemodel/lib/active_model/validations/format.rb
  • Loading branch information...
commit 1e9e5b93335944aa958def4e7fa64a9a159a686d 1 parent 71eede7
@mrbrdo mrbrdo authored
View
10 activemodel/CHANGELOG.md
@@ -1,5 +1,15 @@
## Rails 4.0.0 (unreleased) ##
+## Rails 3.2.6 (unreleased) ##
+
+* Added the `:multiline` option to `validates_format_of` and a deprecation warning when this option is not used
+ and the provided regular expression contains the `^` or `$` anchor. The purpose of this is to prevent users
+ from mistakenly using these anchors when they meant to use `\A` and `\z` to match the start/end of the
+ string as opposed to the start/end of any line in the string.
+
+
+## Rails 3.2.3 (March 30, 2012) ##
+
* Passing false hash values to `validates` will no longer enable the corresponding validators *Steve Purcell*
* `ConfirmationValidator` error messages will attach to `:#{attribute}_confirmation` instead of `attribute` *Brian Cardarella*
View
12 activemodel/lib/active_model/validations/format.rb
@@ -56,7 +56,7 @@ module HelperMethods
# attribute matches the regular expression:
#
# class Person < ActiveRecord::Base
- # validates_format_of :email, :with => /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\Z/i, :on => :create
+ # validates_format_of :email, :with => /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\z/i, :on => :create
# end
#
# Alternatively, you can require that the specified attribute does _not_
@@ -72,12 +72,17 @@ module HelperMethods
# class Person < ActiveRecord::Base
# # Admin can have number as a first letter in their screen name
# validates_format_of :screen_name,
- # :with => lambda{ |person| person.admin? ? /\A[a-z0-9][a-z0-9_\-]*\Z/i : /\A[a-z][a-z0-9_\-]*\Z/i }
+ # :with => lambda{ |person| person.admin? ? /\A[a-z0-9][a-z0-9_\-]*\z/i : /\A[a-z][a-z0-9_\-]*\z/i }
# end
#
# Note: use <tt>\A</tt> and <tt>\Z</tt> to match the start and end of the
# string, <tt>^</tt> and <tt>$</tt> match the start/end of a line.
#
+ # Due to frequent misuse of <tt>^</tt> and <tt>$</tt>, you need to pass the
+ # :multiline => true option in case you use any of these two anchors in the provided
+ # regular expression. In most cases, you should be using <tt>\A</tt> and <tt>\z</tt>
+ # instead.
+ #
# You must pass either <tt>:with</tt> or <tt>:without</tt> as an option.
# In addition, both must be a regular expression or a proc or lambda, or
# else an exception will be raised.
@@ -107,6 +112,9 @@ module HelperMethods
# method, proc or string should return or evaluate to a true or false value.
# * <tt>:strict</tt> - Specifies whether validation should be strict.
# See <tt>ActiveModel::Validation#validates!</tt> for more information.
+ # * <tt>:multiline</tt> - Set to true if your regular expression contains
+ # anchors that match the beginning or end of lines as opposed to the
+ # beginning or end of the string. These anchors are <tt>^</tt> and <tt>$</tt>.
def validates_format_of(*attr_names)
validates_with FormatValidator, _merge_attributes(attr_names)
end
View
4 guides/source/security.textile
@@ -592,7 +592,7 @@ Ruby uses a slightly different approach than many other languages to match the e
<ruby>
class File < ActiveRecord::Base
- validates :name, :format => /^[\w\.\-\<plus>]<plus>$/
+ validates :name, :format => { :with => /^[\w\.\-\<plus>]<plus>$/, :multiline => true }
end
</ruby>
@@ -608,6 +608,8 @@ Whereas %0A is a line feed in URL encoding, so Rails automatically converts it t
/\A[\w\.\-\<plus>]<plus>\z/
</ruby>
+The format validator (validates_format_of) was changed in Rails 2.3.6 to display a warning if the provided regular expression starts with ^ or ends with $. In the case where the use of these anchors is intended, the :multiline option should be set to true.
+
h4. Privilege Escalation
WARNING: _Changing a single parameter may give the user unauthorized access. Remember that every parameter may be changed, no matter how much you hide or obfuscate it._
Please sign in to comment.
Something went wrong with that request. Please try again.