search

alexxed / narro

Automatically exported from code.google.com/p/narro
2 stars 4 forks source link

Please improve input validation in Narro #306

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
Issue:
We'd like to bring Narro back online on Mozilla servers; in the security review 
we carried out for this, we found a number of issues which, while now resolved, 
may not have been exploitable had Narro been more strict on validating input.

As it's entirely possible there are more issues, we'd love to see the input 
validation improved.

Remediation:
Please ensure that, where possible, the application checks that the type, the 
size and the format of input is valid.  For more information on this, please 
consult the Mozilla Secure Coding Guidelines: 
https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Input_Validation

Thanks

Original issue reported on code.google.com by goodwins...@gmail.com on 2 May 2012 at 8:49

GoogleCodeExporter commented 9 years ago

Original comment by alex...@gmail.com on 3 May 2012 at 5:10

GoogleCodeExporter commented 9 years ago 
It's not just a matter of restricting input, which I can't always do, it's 
mostly a matter of escaping the input before being executed or displayed.

Because when you translate you should be able to enter whatever character you 
want.

Original comment by alex...@gmail.com on 3 May 2012 at 5:35