Patch #29674
closed
Missing validation for custom field formats based on RecordList
Added by Alexander Achenbach over 5 years ago.
Updated over 5 years ago.
Description
No validation is performed on input given to custom field formats
- EnumerationFormat
- UserFormat
- VersionFormat
(all based on RecordList). While displayed choices are properly restricted, manipulation of the form on the client side allows to send arbitrary record IDs, which will be accepted without further checks.
The attached patch (tested on Redmine 3.4.6) adds a validation function to RecordList.
Files
+1
I also think that the validation that 'Alexander Achenbach' pointed out should be done.
Actually, by manipulating the form on the client side, it was possible to send arbitrary record ID.
I added a test code to the patch made by 'Alexander Achenbach' and attach it.
- Target version set to 3.3.9
Setting the target version to 3.3.9.
- Subject changed from missing validation for formats based on RecordList to Missing validation for custom field formats based on RecordList
- Status changed from New to Resolved
- Assignee set to Jean-Philippe Lang
- Status changed from Resolved to Closed
- Target version changed from 3.3.9 to 3.4.7
Reverted from 3.3-stable, ProjectCopyTest#test_copy_issues_should_reassign_version_custom_fields_to_copied_versions was failing.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by