@ThaDafinser opened this issue on July 28th 2014

I have a configuration for a plugin (release soon)...

But how can i skip input/output filter?

Converting like & to & destroying the valid ldap filter...

namespace Piwik\Plugins\LdapVisitorInfo;

use Piwik\Settings\SystemSetting;
use Piwik\Settings\Setting;

class Settings extends \Piwik\Plugin\Settings

    protected function init()
        $setting = new SystemSetting('searchFilter', 'LDAP search filter');
        $setting->type = self::TYPE_STRING;
        $setting->defaultValue = '(&(objectclass=user)(samAccountName=%s))';
        $setting->inlineHelp = 'Search for username: "(&(objectclass=user)(samAccountName=%s))". Search for E-Mail (&(objectclass=user)(mail=%s))';
        $setting->transform = function ($value, Setting $setting)
            return (string) $value;
        $setting->validate = function ($value, Setting $setting)


@tsteur commented on August 4th 2014

I am pretty sure your code is already skipping the input / output filter. "Problem" is in CoreAdminHome controller which passes the value like this to the settings API see https://github.com/piwik/piwik/blob/master/plugins/CoreAdminHome/Controller.php#L160

It uses Common::getRequestVar() to get the sent value which will most likely already change it to &amp; This is kinda on purpose for security reasons I reckon. Not sure what best solution would be @mattab

@mattab commented on August 4th 2014

@tsteur maybe it would work to get the raw value via Common::unsanitizeInputValue? it does a htmlspecialchars_decode($value, self::HTML_ENCODING_QUOTE_STYLE);

@ThaDafinser commented on August 5th 2014

"Auto" security is always a probelm IMO....see what happend to magic_quotes ...

I like the ZF2 way...define the filter/validators per default for each input type: https://github.com/zendframework/zf2/blob/master/library/Zend/Form/Element/Email.php#L127-L139 https://github.com/zendframework/zf2/blob/master/library/Zend/Form/Element/DateTime.php#L183-L193

Then you can override it for each element if you want.

@tsteur commented on August 5th 2014

I was rather concert about changing it now regarding breaking the API. The settings API's might be already used in some plugins out there who maybe rely on this. Makes still sense to fix it though so should be ok if we announce it maybe even upfront or so.

@ThaDafinser commented on August 5th 2014

@tsteur i can be a BC, but don't have to. If you do it like in the links i provided above, than you can per default define the filter / validators like they work today.

@tsteur commented on August 5th 2014

That's a great idea @ThaDafinser Didn't think of that. I implemented it like this and then noticed it makes sense to actually pass the unmodified value to the settings as it otherwise just results in more problems. Think for instance of the control "password" where we should not change the value at all. Also the default validator which is used if $availableValues will only work correct in all cases if we do not alter the input. Otherwise we would show an error if an available value contains for instance & although the user chose an available value.

@mattab commented on August 5th 2014

Nice @tsteur!

@ThaDafinser feel free to close ticket if the new code works for you. thanks for reporting!

@ThaDafinser commented on August 5th 2014

@tsteur @mattab just grabbed the master and it works fine for me.

@ThaDafinser commented on August 5th 2014

@tsteur @mattab works fine :smile:

Plugin publish soon: https://github.com/ThaDafinser/LdapConnection https://github.com/ThaDafinser/LdapVisitorInfo

@ThaDafinser commented on August 5th 2014

Thx for the quick fix again :)

This issue was closed on August 5th 2014
Powered by GitHub Issue Mirror