You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jul 24, 2021. It is now read-only.
Reporter: avarab[at]gmail.com [Submitted to the original trac issue database at 5.45pm, Thursday, 16th July 2009]
This is related to ticket:1936 which fixed one vector, but Potlatch still doesn't do server-side validations of user-supplied data so the issue could return in other circumstances, either due to a client bug or a malicious user.
The bug surfaces for example in [http://lists.openstreetmap.org/pipermail/dev/2009-July/016153.html this issue] in which data entered into Potlatch caused a minutely changeset to be invalid XML.
So Potlatch should, upon getting user-submitted data:
Check if it's valid UTF-8, the railsport already has a function for this.
But that would still break things because the main API only accepts a subset of UTF-8 due it also doing incidental validation [http://lists.openstreetmap.org/pipermail/dev/2009-July/016165.html with its XML parser.
So the spec needs to be made clearer on which subset of UTF-8 is accepted. But meanwhile Potlatch should take the conservative approach and reject the control characters that the main API refuses.
The text was updated successfully, but these errors were encountered:
Author: Richard [Added to the original trac issue at 8.05pm, Thursday, 16th July 2009]
"Potlatch still doesn't do server-side validations of user-supplied data" is a contradiction in terms, Potlatch doesn't run server-side. You mean amf_controller. ;)
I believe Matt suggested a fix in #1936 - you could try applying it.
Author: avarab[at]gmail.com [Added to the original trac issue at 7.48am, Friday, 17th July 2009]
Replying to [comment:1 Richard]:
"Potlatch still doesn't do server-side validations of user-supplied data" is a contradiction in terms, Potlatch doesn't run server-side. You mean amf_controller. ;)
I mean amf_controller, which for all intents and purposes is the server side of Potlatch since it's not a public API and Potlatch is the only thing that uses it.
I believe Matt suggested a fix in #1936 - you could try applying it.
I'm not interested in spending time on it myself since I haven't had to directly deal with Potlatch's corrupt data, so the itch-to-scratch factor isn't there. But it's an issue I've noted that a bug wasn't filed for, hence this ticket.
Reporter: avarab[at]gmail.com
[Submitted to the original trac issue database at 5.45pm, Thursday, 16th July 2009]
This is related to ticket:1936 which fixed one vector, but Potlatch still doesn't do server-side validations of user-supplied data so the issue could return in other circumstances, either due to a client bug or a malicious user.
The bug surfaces for example in [http://lists.openstreetmap.org/pipermail/dev/2009-July/016153.html this issue] in which data entered into Potlatch caused a minutely changeset to be invalid XML.
So Potlatch should, upon getting user-submitted data:
But that would still break things because the main API only accepts a subset of UTF-8 due it also doing incidental validation [http://lists.openstreetmap.org/pipermail/dev/2009-July/016165.html with its XML parser.
So the spec needs to be made clearer on which subset of UTF-8 is accepted. But meanwhile Potlatch should take the conservative approach and reject the control characters that the main API refuses.
The text was updated successfully, but these errors were encountered: