Patch #29674

missing validation for formats based on RecordList

Added by Alexander Achenbach 22 days ago. Updated 12 days ago.

Status:NewStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Custom fields
Target version:3.3.9

Description

No validation is performed on input given to custom field formats

  • EnumerationFormat
  • UserFormat
  • VersionFormat

(all based on RecordList). While displayed choices are properly restricted, manipulation of the form on the client side allows to send arbitrary record IDs, which will be accepted without further checks.

The attached patch (tested on Redmine 3.4.6) adds a validation function to RecordList.

validate-record-list.patch Magnifier (680 Bytes) Alexander Achenbach, 2018-09-25 13:23

29674_test_added.patch Magnifier (4.54 KB) Takenori TAKAKI, 2018-09-28 05:08

History

#1 Updated by Takenori TAKAKI 19 days ago

+1
I also think that the validation that 'Alexander Achenbach' pointed out should be done.
Actually, by manipulating the form on the client side, it was possible to send arbitrary record ID.
I added a test code to the patch made by 'Alexander Achenbach' and attach it.

#2 Updated by Go MAEDA 12 days ago

  • Target version set to 3.3.9

Setting the target version to 3.3.9.

Also available in: Atom PDF