X-Git-Url: https://git.decadent.org.uk/gitweb/?a=blobdiff_plain;f=lib%2FCGI%2FUntaint%2FMaypole.pm;fp=lib%2FCGI%2FUntaint%2FMaypole.pm;h=d096c276892e4010db01e8b3b0b5c72a44c98793;hb=a4c30c9757a710511bcfabe5cad9a7390eabfbcd;hp=0000000000000000000000000000000000000000;hpb=58c9595d95477fa806c7876aa7bf80d1908bd22d;p=maypole.git diff --git a/lib/CGI/Untaint/Maypole.pm b/lib/CGI/Untaint/Maypole.pm new file mode 100644 index 0000000..d096c27 --- /dev/null +++ b/lib/CGI/Untaint/Maypole.pm @@ -0,0 +1,124 @@ +package CGI::Untaint::Maypole; + +use strict; +use warnings; +our $VERSION = '0.01'; +use base 'CGI::Untaint'; +use Carp; + +=head1 NAME + +CGI::Untaint::Maypole - Use instead of CGI::Untaint. Based on CGI::Untaint + +=head1 SYNOPSIS + + use CGI::Untaint::Maypole; + my $h = CGI::Untaint::Maypole->new($params); + $value = $h->extract(-as_printable => 'name); + + if ($h->error =~ /No input for/) { + # caught empty input now handle it + .... + } + if ($h->raw_data->{$field} eq $object->$field) { + # Raw data same as database data. Perhaps we should not update field + ... + } + +=head1 DESCRIPTION + +This patches some issues I have with CGI::Untaint. You still need it installed +and you install handlers the same. + +1) Instead of passing the empty string to the untaint handlers and relying on +them to handle it to everyone's liking, it seems better +to have CGI::Untaint just say "No input for field" if the field is blank. + +2) It adds the method C to the get back the parameters the handler +was created with. + +=cut + + +sub raw_data { + return shift->{__data}; +} + +# offending method ripped from base and patched +sub _do_extract { + my $self = shift; + + my %param = @_; + + #---------------------------------------------------------------------- + # Make sure we have a valid data handler + #---------------------------------------------------------------------- + my @as = grep /^-as_/, keys %param; + croak "No data handler type specified" unless @as; + croak "Multiple data handler types specified" unless @as == 1; + + my $field = delete $param{ $as[0] }; + my $skip_valid = $as[0] =~ s/^(-as_)like_/$1/; + my $module = $self->_load_module($as[0]); + + #---------------------------------------------------------------------- + # Do we have a sensible value? Check the default untaint for this + # type of variable, unless one is passed. + #---------------------------------------------------------------------- + + ################# PETER'S PATCH ##################### + my $raw = $self->{__data}->{$field} ; + die "No parameter for '$field'\n" if !defined($raw); + die "No input for '$field'\n" if $raw eq ''; + ##################################################### + + + my $handler = $module->_new($self, $raw); + + my $clean = eval { $handler->_untaint }; + if ($@) { # Give sensible death message + die "$field ($raw) is in invalid format.\n" + if $@ =~ /^Died at/; + die $@; + } + + #---------------------------------------------------------------------- + # Are we doing a validation check? + #---------------------------------------------------------------------- + unless ($skip_valid) { + if (my $ref = $handler->can('is_valid')) { + die "$field ($raw) is in invalid format.\n" + unless $handler->is_valid; + } + } + + return $handler->untainted; +} + +=head1 BUGS + +None known yet. + +=head1 SEE ALSO + +L. L. + +=head1 AUTHOR + +Peter Speltz. + +=head1 BUGS and QUERIES + +Please direct all correspondence regarding this module to: + bug-Maypole@rt.cpan.org + +=head1 COPYRIGHT and LICENSE + +Copyright (C) 2006 Peter Speltz. All rights reserved. + +This module is free software; you can redistribute it and/or modify +it under the same terms as Perl itself. + +=cut + +1;