Permalink
Browse files

Fixed all tests, fixed float-parser security issue

  • Loading branch information...
1 parent f8e5d91 commit ae7de71d55dc4758deca7a8ae9c7acfbe6b38543 @html html committed Mar 23, 2013
View
15 src/views/types/parsers/common.lisp
@@ -98,22 +98,23 @@
(when (number-parser-max parser)
(format nil " less than ~A" (+ (number-parser-max parser) 1)))))))
-(defmethod parse-view-field-value ((parser float-parser) value obj
- (view form-view) (field form-view-field) &rest args)
+(defmethod parse-view-field-value ((parser float-parser)
+ value obj
+ (view form-view) (field form-view-field) &rest args)
(declare (ignore args))
(declare (optimize safety))
(ignore-errors
(let* ((presentp (text-input-present-p value))
- (float-value (when presentp
- (float (read-from-string value))))
+ (float-value (when presentp
+ (parse-number:parse-number value :float-format 'long-float)))
(round-factor (awhen (float-parser-round parser)
- (expt 10 (if (eq it t) 0 it)))))
+ (expt 10 (if (eq it t) 0 it)))))
(unless (floatp float-value)
(error 'parse-error))
(when (and float-value (number-parser-min parser))
- (assert (>= float-value (number-parser-min parser))))
+ (assert (>= float-value (number-parser-min parser))))
(when (and float-value (number-parser-max parser))
- (assert (<= float-value (number-parser-max parser))))
+ (assert (<= float-value (number-parser-max parser))))
(values t presentp (if round-factor
(/ (round (* float-value round-factor)) round-factor)
float-value)))))
View
10 src/widgets/selector.lisp
@@ -174,11 +174,11 @@
(when (car effective-pane)
(pop-tokens uri-tokens))
effective-pane)
- (panes
- (let ((default-pane (or (static-selector-get-pane selector nil) (first panes))))
- (when (car default-pane)
- (consume-tokens uri-tokens (list (car default-pane))))
- default-pane)))))
+ ((and (null token) panes)
+ (let ((default-pane (or (static-selector-get-pane selector nil) (first panes))))
+ (when (car default-pane)
+ (consume-tokens uri-tokens (list (car default-pane))))
+ default-pane)))))
(unless cached-pane ; already in cache? add if not
(push (cons (car selected-pane) (cdr selected-pane)) (static-selector-cached-panes selector)))
(static-selector-select-pane selector (car selected-pane))
View
9 test/control-flow/workflow.lisp
@@ -1,15 +1,6 @@
(in-package :weblocks-test)
-;;; test yield->do-widget
-(deftest yield->do-widget-1
- (weblocks::yield->do-widget '(1 two (three 4) (5 (yield 6) 7) 8) 'foo)
- (1 two (three 4) (5 (do-widget foo 6) 7) 8))
-
-(deftest yield->do-widget-2
- (weblocks::yield->do-widget nil 'foo)
- nil)
-
;;; test with-flow
(deftest with-flow-1
(with-request :get nil
View
30 test/views/formview/parser.lisp
@@ -54,4 +54,34 @@
(text-input-present-p "foo")
t)
+(defmacro outputs-nothing-p (&body body)
+ `(zerop
+ (length
+ (with-output-to-string (*standard-output*)
+ ,@body))))
+
+(deftest text-parser-parse-view-field-value-1
+ (parse-view-field-value (make-instance 'float-parser)
+ "12312.312312313123" *joe*
+ (find-view '(form employee))
+ (make-instance 'form-view-field))
+ t t 12312.312312313123d0)
+
+(deftest float-parser-parse-view-field-value-2
+ (outputs-nothing-p
+ (parse-view-field-value (make-instance 'float-parser)
+ "#.(progn (print \"Some injected code executed\") 1)" *joe*
+ (find-view '(form employee))
+ (make-instance 'form-view-field)))
+ t)
+
+#+sbcl(deftest float-parser-parse-view-field-value-3
+ (ignore-errors
+ (weblocks::with-timeout (3)
+ (parse-view-field-value (make-instance 'float-parser)
+ "1e10000000000000000000000000" *joe*
+ (find-view '(form employee))
+ (make-instance 'form-view-field))
+ t))
+ t)
View
5 weblocks.asd
@@ -8,7 +8,7 @@
(defsystem weblocks
:name "weblocks"
- :version "0.8.6"
+ :version "0.8.7"
:maintainer "Slava Akhmechet"
:author "Slava Akhmechet"
:licence "LLGPL"
@@ -31,7 +31,8 @@
:salza2
:html-template
:trivial-timeout
- :trivial-backtrace)
+ :trivial-backtrace
+ :parse-number)
:components ((:module src
:components (
(:file "package")

0 comments on commit ae7de71

Please sign in to comment.