missing validation for formats based on RecordList
No validation is performed on input given to custom field formats
(all based on RecordList). While displayed choices are properly restricted, manipulation of the form on the client side allows to send arbitrary record IDs, which will be accepted without further checks.
The attached patch (tested on Redmine 3.4.6) adds a validation function to RecordList.
#1 Updated by Takenori TAKAKI 19 days ago
- File 29674_test_added.patch added
I also think that the validation that 'Alexander Achenbach' pointed out should be done.
Actually, by manipulating the form on the client side, it was possible to send arbitrary record ID.
I added a test code to the patch made by 'Alexander Achenbach' and attach it.