http://coldfusion.com logo
Join Slack
Powered by
Anyone using FuseGuard? I'd like to be able to al...
# cfml-general
p
Anyone using FuseGuard? I'd like to be able to allow # in form scope. I think this is the regex:
Copy code
<cfif ReFindNoCase("^[a-z0-9_:./-]+$", arguments.value)><cfreturn 0></cfif>
and I think if I change it to
Copy code
<cfif ReFindNoCase("^[a-z0-9_:./-##]+$", arguments.value)><cfreturn 0></cfif>
( SQLInjectionFilter.ccfc ) It should be OK. This is a legacy code base so it's hard to find exact tests. Yes I know Pete write it and have also reached out just want top see if anyone could help sooner.
b
Just a note 'cause I'm not even a novice when it comes to regex - the two lines of code above are the same...
p
Fixed that mistake sorry
👍 1
a
I don't think that's the bit you want. Have you got an example of a false positive that trips the filter? It should be in the fuseguard logs
The reg exp you posted will match anything with only those characters. Note that spaces etc are not part of it, which is why I think it's not what you want to change, but examples of false positives would help 🙂
r
<cfset test = "some.fuseaction##" /> <cfif ReFindNoCase("^[a-z0-9" & "##" & "_:./-]+$", test)> <cfoutput>OK</cfoutput> <cfelse> <cfoutput>NOT OK</cfoutput> </cfif>
somehow # is not fit into Regexp 🙂 error returns, but contatenation helped
heh, "^[a-z0-9##_:./-]+$" works, but "^[a-z0-9_:./-##]+$" not
👍 1
a
##
should work, depends where you put in though. If you put it after a control character you'll get a malformed expression. For example 
-
is for character ranges. So yeah, in that example it'll get confused and thing you are doing a character range.
r
indeed, has to be esaped, ReFindNoCase("^[a-z0-9_:./\-##]+$", test)
👍 1
a
yeah, but 
"^[a-z0-9##_:./-]+$"
is more readable
Don't think that's going to solve OPs issue though 🙂
😀 1
p
Thank you! 
"^[a-z0-9##_:./-]+$".
After many hours of fixing 1000's of issues you get a little numb and can't think.
🎯 1
@aliaspooryorik isn't is saying if its not one of those char then stop? Ie If Not that then block. I think. I have closed it for the evening I'll check tomorrow when I am fresher.
a
I think you're getting confused by the 
^
- it is confusing as has two meanings depending on context. If you use the 
^
at the start of a reg exp, then it acts as an anchor, if you use it inside a set then it acts as a not present
So in 
^[^a-z]+$
the first 
^
refers to the start of the string (an anchor). The second 
^
is in a set so means "non of these characters"
In 
^[a-z0-9_:./-]+$
it's doing 
^
and 
$
to make sure it matches the whole string
4 Views
Open in Slack
PreviousNext
Powered by