[geeklog-devel] COM_applyFilter doesn't accept negative numbers

Dirk Haun dirk at haun-online.de
Sat Feb 19 16:37:09 EST 2005


>If you call COM_applyFilter($var, true) you run into a problem if $var
>is negative.  In that case COM_applyFiler will return 0.

Yep, I noticed this myself some time ago. Someone reported that it wasn't
possible to disable poll comments and it came down to the same problem. I
actually worked around it in admin/poll.php now.

>Notice the preg_match won't match negative numbers.  This is easily

Good catch.

>Is there any problem if we allow numbers like 4e4 to be accepted?

I couldn't see a reason for us to accept large numbers, especially not in
that notation. Couple that with an unspecified fear of allowing DoS-type
attacks in some scenarios.

In other words, there's no comprehensible reason and we should probably
be doing more sanity checks before accepting large numeric values instead.

Which reminds me of an observation from this discussion: <http://
www.geeklog.net/forum/viewtopic.php?showtopic=48299>. I tried to figure
out how Geeklog could come up with those SQL errors, and it seems if
someone tries to post a comment as a reply to a nonexistent comment ID,
we throw an SQL error. Shouldn't Geeklog catch those?

bye, Dirk


More information about the geeklog-devel mailing list