Patch #29674

Missing validation for custom field formats based on RecordList

Added by Alexander Achenbach 3 months ago. Updated 10 days ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Jean-Philippe Lang% Done:

0%

Category:Custom fields
Target version:3.4.7

Description

No validation is performed on input given to custom field formats

  • EnumerationFormat
  • UserFormat
  • VersionFormat

(all based on RecordList). While displayed choices are properly restricted, manipulation of the form on the client side allows to send arbitrary record IDs, which will be accepted without further checks.

The attached patch (tested on Redmine 3.4.6) adds a validation function to RecordList.

validate-record-list.patch Magnifier (680 Bytes) Alexander Achenbach, 2018-09-25 13:23

29674_test_added.patch Magnifier (4.54 KB) Takenori TAKAKI, 2018-09-28 05:08

Associated revisions

Revision 17645
Added by Jean-Philippe Lang 12 days ago

Missing validation for custom field formats based on RecordList (#29674).

Patch by Alexander Achenbach.

Revision 17646
Added by Jean-Philippe Lang 12 days ago

Tests for #29674.

Patch by Takenori TAKAKI.

Revision 17654
Added by Jean-Philippe Lang 11 days ago

Merged r17645 to 3.4-stable (#29674).

Revision 17655
Added by Jean-Philippe Lang 11 days ago

Merged r17645 to 3.3-stable (#29674).

History

#1 Updated by Takenori TAKAKI 2 months ago

+1
I also think that the validation that 'Alexander Achenbach' pointed out should be done.
Actually, by manipulating the form on the client side, it was possible to send arbitrary record ID.
I added a test code to the patch made by 'Alexander Achenbach' and attach it.

#2 Updated by Go MAEDA 2 months ago

  • Target version set to 3.3.9

Setting the target version to 3.3.9.

#3 Updated by Jean-Philippe Lang 12 days ago

  • Subject changed from missing validation for formats based on RecordList to Missing validation for custom field formats based on RecordList
  • Status changed from New to Resolved
  • Assignee set to Jean-Philippe Lang

Patch committed, thanks.

#4 Updated by Jean-Philippe Lang 11 days ago

  • Status changed from Resolved to Closed

#5 Updated by Jean-Philippe Lang 10 days ago

  • Target version changed from 3.3.9 to 3.4.7

Reverted from 3.3-stable, ProjectCopyTest#test_copy_issues_should_reassign_version_custom_fields_to_copied_versions was failing.

Also available in: Atom PDF