Menu
▾
▴
#83 validate user input
Both the Backend and Frontend need to validate user
input to questions. I envision this happening by
specifying a REGEXP for valid answers to a given
question. Potentially, this could replace the
YN_TOGGLE tag; you would just specify:
REGEXP: [Y|N]
for yes/no questions. For questions which specify IP
addresses, you would use
REGEXP: (\d{1,3}\.){3}\d{1,3}
or the like. Errors should be reported in both
InteractiveBastille and Backend (in case someone
tweaked the config file)
Logged In: YES
user_id=195786
F+B-W=3+6-2=7
(Badness of 6 because it could have a lot of
unknown/unexpected consequences, normal use because a lot of
people make typos, but workaround is just to specify correct
answers)
Logged In: YES
user_id=1441
For some questions, e.g. the firewall question about
servuices/ports to allow connections to, a regexp would be
very difficult to use for validation. So it might be much
better to call functions for this (one function might simply
use regexps to validate). One of the things I'd like to
change is the way the Bastille/*.pm modules work. Right now
the darn things run their install routines when they are
use()/import()ed. I'd like to define an Install() method for
each module. This would allow us to put module-specific
verification routines within the modules themselves (who
better to decide what is valid?); we could use() the module
to get the Verify() routine (usage:
Verify($question_label,$user_submission) returns an empty
string if OK, or an error message string if not) without
running the blasted install methods.
As for what an error is, that's a big question. When
Bastille asks you which users should be allowed to log in to
the console, should the verification check
- trust whatever you enter (maybe the user doesn't exist
*yet*?)
- warn in with ErrorLog() about invalid user/group names
- reject nonexistent names
? (my vote: the second option)
Logged In: YES
user_id=1441
Install()/Run(), something like that. See
https://sourceforge.net/tracker/index.php?func=detail&aid=429824&group_id=403&atid=100403
Logged In: YES
user_id=195786
Pete said:
> For some questions, e.g. the firewall question about
> servuices/ports to allow connections to, a regexp would be
> very difficult to use for validation
Why? I agree that it can't do a complete job, but it
should be able to prevent people from putting in completely
bogus information.
I definitely agree about an install/run and I think more
error checking is needed in the backend modules to prevent
doing silly things. But error checking the input to make
sure it's valid is still a great start. This wouldn't yet
check /etc/passwd to make sure it's a real user, etc.
That would have to happen at implementation (backend) time.
Logged In: YES
user_id=285136
Added A REG_EXP field to Questions.txt
If the field is present the answers are compaired against
that field
This data is checked in the Tk gui but not in the Curses ui.
It is also checked against in the BackEnd...
Currently only y|n and umask questions are checked for
Linux.