Context Navigation

Modify ↓

#3510 closed defect (fixed)

Security: Disabled fields can still be edited by clever user

Reported by:	anonymous	Owned by:	obs
Priority:	high	Component:	BlackMagicTicketTweaksPlugin
Severity:	critical	Keywords:
Cc:		Trac Release:	0.11

Description

Though I haven't installed or used your plugin, I was just browsing through the source and it seems that disabled fields are only disabled superficially. In other words, only by adding a disabled attribute to the HTML tag.

A clever user could still submit a new value for the disabled field in the HTTP POST data and change its value. This is a security flaw that is particularly important for projects with anonymous contributors (such as this one :-)).

Thanks,

Aamer Abbas

Attachments (0)

Change History (3)

comment:1 Changed 16 years ago by anonymous

Severity:	normal → major

comment:2 Changed 14 years ago by obs

Owner:	changed from Stephen Hansen to obs
Severity:	major → critical
Trac Release:	0.10 → 0.11

comment:3 Changed 14 years ago by obs

Resolution:	→ fixed
Status:	new → closed

(In [7207]) Added ticket validation for disabled and hidden fields, if they are modified by the user (i.e. faking the http post or editing the form with tools such as firebug) an access denied error will be thrown fixes #3510

Modify Ticket

Change Properties

Summary:
Type:	Priority:
Component:	Severity:
Keywords:	Cc:	Set your email in Preferences
Trac Release:

Action

leave as closed The owner will remain obs.

reopen The resolution will be deleted. Next status will be 'reopened'.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences.

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: