Comments on: regex 0.9.4

By: Mark

Mark — Tue, 29 Apr 2008 15:25:44 +0000

Yes, watching the logs will be fun

By: Volcane

Volcane — Tue, 29 Apr 2008 15:03:02 +0000

Thanks Lars, I think you’re app is great I have used several and reviewed several and once yours is sorted I think it will become my regex tester of choice, keep it up

The basic rule is never rely on the client for input testing always do it server side and try to think out the box in terms of how people will use your app, def add some logging to see exactly what people are putting into your form so you can see what is being tried etc

By: Lars Olav Torvik

Lars Olav Torvik — Tue, 29 Apr 2008 14:36:34 +0000

Oh another small comment for Mark. There actually are a couple of people who can’t proccess regex in their heads

By: Lars Olav Torvik

Lars Olav Torvik — Tue, 29 Apr 2008 14:26:53 +0000

It seems I’m a bit naive when it comes to security. Not used to create applications like this. Usally just regular registrations forms etc that I need to make secure from injection attacks etc. I just created a tool I would like to use my self and decided to share

Mark: Thanks for the tips about the modifiers. The modifiers should now be filtered on the server.

Volcane: I have done some other small modifications now but not sure if I have catched the security breach you saw or if it is the same as Mark commented. I would apreaciate it if you could send me a mail at meAlfaLarsolavtorvik.com with a concrete example I can test with.

Atleast my app is getting some testing

By: Mark

Mark — Tue, 29 Apr 2008 13:49:33 +0000

(Still, nice little tool though, for people who can’t yet process regex in their heads

By: Mark

Mark — Tue, 29 Apr 2008 13:10:30 +0000

Yep, in firebug:

document.getElementById(’pcre_modifiers_multiline’).value = ‘e’;

Enable multiline mode and hack away! Filter your modifiers server-side and prevent it from happening at all.

By: Volcane

Volcane — Tue, 29 Apr 2008 13:06:30 +0000

Have another go, its still VERY trivial.

By: Lars Olav Torvik

Lars Olav Torvik — Tue, 29 Apr 2008 12:03:48 +0000

Thanks for your comment. I have installed a patch that hopefully solves this problem

By: Volcane

Volcane — Tue, 29 Apr 2008 11:47:44 +0000

May I suggest you take this application down immediately and address the glaring security holes that is exposing your whole server’s contents to the world. I won’t mention details here but I am sure you can figure it out.

By: Thor

Thor — Wed, 23 Apr 2008 20:55:53 +0000

ja skjønner.
det var derfor jeg tenkte på en knapp dedikert til escaping. denne knappen gir brukeren en prompt der man kan skrive tekst og deretter plasseres teksten inn i pattern feltet det var noe veldig enkelt jeg så for meg, fordi det er kun når man først går i gang å lager pattern at det trengs en hurtig escaping.