Patch #29674
closedMissing validation for custom field formats based on RecordList
0%
Description
No validation is performed on input given to custom field formats
- EnumerationFormat
- UserFormat
- VersionFormat
(all based on RecordList). While displayed choices are properly restricted, manipulation of the form on the client side allows to send arbitrary record IDs, which will be accepted without further checks.
The attached patch (tested on Redmine 3.4.6) adds a validation function to RecordList.
Files
Updated by Takenori TAKAKI about 6 years ago
- File 29674_test_added.patch 29674_test_added.patch added
+1
I also think that the validation that 'Alexander Achenbach' pointed out should be done.
Actually, by manipulating the form on the client side, it was possible to send arbitrary record ID.
I added a test code to the patch made by 'Alexander Achenbach' and attach it.
Updated by Go MAEDA about 6 years ago
- Target version set to 3.3.9
Setting the target version to 3.3.9.
Updated by Jean-Philippe Lang almost 6 years ago
- Subject changed from missing validation for formats based on RecordList to Missing validation for custom field formats based on RecordList
- Status changed from New to Resolved
- Assignee set to Jean-Philippe Lang
Patch committed, thanks.
Updated by Jean-Philippe Lang almost 6 years ago
- Status changed from Resolved to Closed
Updated by Jean-Philippe Lang almost 6 years ago
- Target version changed from 3.3.9 to 3.4.7
Reverted from 3.3-stable, ProjectCopyTest#test_copy_issues_should_reassign_version_custom_fields_to_copied_versions was failing.