Project

General

Profile

Actions

Patch #29674

closed

Missing validation for custom field formats based on RecordList

Added by Alexander Achenbach about 6 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Normal
Category:
Custom fields
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:

Description

No validation is performed on input given to custom field formats

  • EnumerationFormat
  • UserFormat
  • VersionFormat

(all based on RecordList). While displayed choices are properly restricted, manipulation of the form on the client side allows to send arbitrary record IDs, which will be accepted without further checks.

The attached patch (tested on Redmine 3.4.6) adds a validation function to RecordList.


Files

validate-record-list.patch (680 Bytes) validate-record-list.patch Alexander Achenbach, 2018-09-25 13:23
29674_test_added.patch (4.54 KB) 29674_test_added.patch Takenori TAKAKI, 2018-09-28 05:08
Actions #1

Updated by Takenori TAKAKI about 6 years ago

+1
I also think that the validation that 'Alexander Achenbach' pointed out should be done.
Actually, by manipulating the form on the client side, it was possible to send arbitrary record ID.
I added a test code to the patch made by 'Alexander Achenbach' and attach it.

Actions #2

Updated by Go MAEDA about 6 years ago

  • Target version set to 3.3.9

Setting the target version to 3.3.9.

Actions #3

Updated by Jean-Philippe Lang almost 6 years ago

  • Subject changed from missing validation for formats based on RecordList to Missing validation for custom field formats based on RecordList
  • Status changed from New to Resolved
  • Assignee set to Jean-Philippe Lang

Patch committed, thanks.

Actions #4

Updated by Jean-Philippe Lang almost 6 years ago

  • Status changed from Resolved to Closed
Actions #5

Updated by Jean-Philippe Lang almost 6 years ago

  • Target version changed from 3.3.9 to 3.4.7

Reverted from 3.3-stable, ProjectCopyTest#test_copy_issues_should_reassign_version_custom_fields_to_copied_versions was failing.

Actions

Also available in: Atom PDF