Opened 10 years ago
Closed 10 years ago
#2719 closed defect (bug) (fixed)
Improve form field post request retention
Reported by: | johnjamesjacoby | Owned by: | johnjamesjacoby |
---|---|---|---|
Milestone: | 2.6 | Priority: | high |
Severity: | major | Version: | |
Component: | Tools - Code Improvements | Keywords: | has-patch |
Cc: |
Description
When submitting a theme-side form, bbPress retains form field data to avoid the possibility of losing user submitted data should an error occur. These fields and their _form_
functions are a bit too trusting in their approach, and are mildly susceptible to a simple form of cross-site request forgery allowing form data to be set without user input.
The good news here (and why I'm publishing this publicly here) is all user input appears to be appropriately validated before it's saved, making this less of an exploit and more of an unintended consequence of a convenience feature.
The bad news is it affects several fields across the forum, topic, and reply components, making it a relatively sprawling change. I'm creating this ticket to get more eyes on the fix, and see if anything else smells similarly funky.
In 5558: