Jump to content

  5. Bug Report: Field Keys, User input.

Photo

Field Keys, User input.

Submitted Marcher Technologies, Aug 20 2012 02:43 PM | Last updated Aug 25 2012 01:18 AM

http://community.inv...nt-feeds-r38102
this can be marked as duplicate, is simply a list of array keys, and therefore field keys, that should be protected and are not.
consider $input as the user-inputted field key, $table as ccs_custom_database_x field is being added to.
if($this->DB->checkForField($input, $table))
{
//not allowed.
}
if($this->DB->checkForField($input, 'ccs_database_categories'))
{
//not allowed.
}
$protected = array('record_link', 'url', 'title', 'content', '_isRead', '_database');
if(in_array($input, $protected))
{
//not allowed.
}

Status: Fixed
Version: 2.3.2
Fixed In: 2.3.3


3 Comments

Photo
Marcher Technologies
Aug 20 2012 02:45 PM
missed category_link, but i think you get the idea re: how much can be broken by user input.
Photo
bfarber
Aug 23 2012 03:10 PM
Updating Fixed In to: 2.3.3
Updating Status to: Fixed

Added this to fieldsClass and call it in the AJAX and main controller save methods. We can expand on it in the future as needed, though this "issue" really is the sort of issue you'd be hard pressed to stumble upon, or would only hit if you were TRYING to break things.

/**
     * Check a field key to prevent issues.  Centralized as this can be called from multiple areas.
     *
     * @param    int        Database ID
     * @param    string    Field key
     * @return    @e bool
     */
    public function checkFieldKey( $database, $key )
    {
        $field    = $this->DB->buildAndFetch( array( 'select' => 'field_id', 'from' => 'ccs_database_fields', 'where' => "field_database_id={$database} AND field_key='{$key}'" ) );

        if( $field['field_id'] )
        {
            return false;
        }

        if( $this->DB->checkForField( $key, 'ccs_database_categories' ) )
        {
            return false;
        }

        $protected    = array( 'record_link', 'url', 'title', 'content', '_isRead', '_database', 'category_link', 'primary_id_field', 'member_id', 'record_saved', 'record_updated',
                            'post_key', 'rating_real', 'rating_hits', 'rating_value', 'category_id', 'record_locked', 'record_comments', 'record_views', 'record_approved',
                            'record_pinned', 'record_dynamic_furl', 'record_static_furl', 'record_meta_keywords', 'record_meta_description', 'record_template', 'record_topicid',
                            'record_comments_queued' );

        if( in_array( $key, $protected ) )
        {
            return false;
        }

        if( preg_match( '/^field_\d+$/', $key ) )
        {
            return false;
        }

        return true;
    }
Photo
Marcher Technologies
Aug 25 2012 01:18 AM
Highly appreciated, and I can wholeheartedly agree with your statement, but have seen too many cases of users not knowing these keys have meaning in the system and using them, and the results thereof.

  1. Invision Power Services
  2. Resources
  3. Bug Tracker
  4. IP.Content
  5. Bug Report: Field Keys, User input.
  6. Privacy Policy
  7. Community Rules ·