Hi Philippe,

>>> +}
>>> +
>>> static void stk_agent_send_noreply(struct stk_agent *agent, const char
>>> *method)
>>> {
>>> DBusConnection *conn = ofono_dbus_get_connection();
>>> @@ -541,7 +562,7 @@ static void get_digit_cb(DBusPendingCall *call,
>>> void *data)
>>> DBUS_TYPE_STRING,&digit,
>>> DBUS_TYPE_INVALID) == FALSE ||
>>> strlen(digit) != 1 ||
>>> - !valid_phone_number_format(digit)) {
>>> + !check_digit(digit)) {
>>
>> This is still wrong as it also needs to take care of the hidden_input
>> case where the '+' is not allowed.
>
> Good point. But then, it requires to retrieve the command qualifier (or
> at least the hidden_val property from the agent->msg).
>
> I think this is more complicated to perform this checking here. It
> should be more convenient to place this in the callback (here
> 'request_key_cb').
> But we can think also to simply remove any checking. For GET_INPUT, we
> are not checking the min/max length ;o)

No, we do need to sanitize any output from the agent.  We do this in a 
half assed way right now and that needs to be fixed.

>
> Note that apparently, we missed to consider the hidden property in
> 'handle_command_get_inkey'. Therefore, we are not sending this
> information to the STK agent. I'm willing to correct this.

Please do.

Regards,
-Denis