#129 ✓resolved
darix

will_paginate should make sure that the page param is an integer

Reported by darix | November 8th, 2007 @ 10:34 PM

atm i use that code inside my controller to avoid problems with params like

?page=abc

?page=0

   begin
      params[:page] = Integer(params[:page]) unless params[:page].nil?
    rescue
      # ignore conversion errors

      params[:page] = 1
    end
    params[:page] = 1 if params[:page] <= 0

Comments and changes to this ticket

  • Mislav

    Mislav October 13th, 2007 @ 03:18 AM

    • Assigned user changed from “Chris Wanstrath” to “Mislav”
    • State changed from “new” to “open”

    And how does :page parameter get to be "abc" or "0" in the first place?

  • Mislav

    Mislav October 14th, 2007 @ 01:57 AM

    • State changed from “open” to “invalid”

    Sorry, but I just don't see any value in this. If someone written 'asdfds' for :page parameter, the application should break in my opinion.

    Whoever wants to sanitize input, he will have to do it manually like you seem to do already. To other readers, here is the same code as above:

       begin
          params[:page] = Integer(params[:page]) unless params[:page].nil?
        rescue
          # ignore conversion errors
          params[:page] = 1
        end
        params[:page] = 1 if params[:page] <= 0
    
  • Andrew Nesbitt

    Andrew Nesbitt October 25th, 2007 @ 06:20 PM

    I ran into this error as well, submitted a ticket with a fix, it was causing a nasty exception with a possible security hole.

    http://err.lighthouseapp.com/pro...

  • darix

    darix November 8th, 2007 @ 10:10 PM

    how can it be invalid?

    your plugin should never produce invalid SQL statements imho. and evil users might try to break the application with injecting invalid values for query string params.

    your plugin consums the parameter. if it is not a valid value, and being something else than an integer is not valid, the plugin should handle it more gracefully before it hits the SQL layer.

    if your solution is that every user of your plugin should protect the parameter before calling Modell.paginate, i would rather not recommend the plugin.

    my proposed is a very graceful version of that. another option might be raising ArgumentError.

  • darix

    darix November 8th, 2007 @ 10:27 PM

    just as an example: lets say you add suppor for "page=last"/"page=first" at some point. external validation would break the usage of that feature.

    if the validation code is part of the plugin you could adapt the validation to the new feature and no user has to touch their code.

  • darix

    darix November 8th, 2007 @ 10:30 PM

    i wanted to fix the code in the first comment. but the lighthouse application is eating the ruby code. no matter whether i used

  • Mislav

    Mislav December 24th, 2007 @ 12:26 AM

    • State changed from “invalid” to “resolved”

    In revision [421], WillPaginate::InvalidPage error is thrown on invalid input in :page parameter. WillPaginate::Collection doesn't even accept nil as page value anymore, but paginate() API does and defaults to page 1.

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Everyone's favorite Ruby library for pagination of practically anything!

Pages