Skip to:
Content

bbPress.org

Opened 13 years ago

Closed 13 years ago

#2363 closed defect (bug) (fixed)

New topics and replies can be parentless

Reported by: johnjamesjacoby's profile johnjamesjacoby Owned by: johnjamesjacoby's profile johnjamesjacoby
Milestone: 2.4 Priority: high
Severity: major Version: 2.1
Component: General - Content Creation Keywords: has-patch
Cc:

Description

When posting a new topic or reply, we currently do not force the proposed post_parent post ID to exist. This was originally by design, to allow for flexibility in the forum/topic/reply relationship, but because the eventual post_parent is passed via a form field, it's easy to manipulate.

To duplicate:

  • Login
  • Visit a single forum page
  • Inspect the "New Topic" fieldset
  • Change the 'bbp_forum_id' field value to -1
  • Submit a new topic

The same can be done with a new reply on a single topic.

The solution is to add more error handling to the bbp_new_reply_handler() and bbp_new_topic_handler() functions, to make sure the proposed post_parent actually exists, and to explicitly prevent negative post ID's.

Attachments (2)

2363.patch (4.8 KB) - added by johnjamesjacoby 13 years ago.
2363.2.patch (4.8 KB) - added by johnjamesjacoby 13 years ago.

Download all attachments as: .zip

Change History (4)

@johnjamesjacoby
13 years ago

@johnjamesjacoby
13 years ago

#1 @johnjamesjacoby
13 years ago

2363.2.patch fixes some inline doc.

#2 @johnjamesjacoby
13 years ago

  • Owner set to johnjamesjacoby
  • Resolution set to fixed
  • Status changed from new to closed

In 5009:

Introduce additional forum/topic ID validation when posting new topics and replies. Prevents empty/negative/non-existent post_parent. Fixes #2363.

Note: See TracTickets for help on using tickets.