Context Navigation

← Previous Ticket
Next Ticket →

#3148 closed defect (bug) (fixed)

Convertor: Validate the received value for 'Rows Limit"

Reported by:	jrf	Owned by:	johnjamesjacoby
Milestone:	2.5.14	Priority:	high
Severity:	normal	Version:	2.5
Component:	API - Importers	Keywords:	has-patch
Cc:	johnjamesjacoby, jrf

Description

According to the HTML, the row limit is supported to be between 1 and 5000.
Currently this value was not being validated, so negative values or very high values could be passed via a script or when a browser would disregard the min/max as indicated in the HTML.

As a best practice, input should be validated server side anyway.

This minor change adds the necessary validation and ensures that the value is always between 1 and 5000.

Attachments (1)

trac-3148-validate-min-max-rows.patch (513 bytes) - added by jrf 6 years ago.

Download all attachments as: .zip

Change History (4)

@jrf
6 years ago

Attachment trac-3148-validate-min-max-rows.patch added

#1 @johnjamesjacoby
6 years ago

In 6661:

Converter: bind number-of-rows attribute to between 1 and 5000.

This change adds validation to ensure no unexpected number of database rows are queried.

Trunk, for 2.6. Props jrf. See #3148.

#2 @johnjamesjacoby
6 years ago

Owner set to johnjamesjacoby
Resolution set to fixed
Status changed from new to closed

In 6662:

Converter: bind number-of-rows attribute to between 1 and 5000.

This change adds validation to ensure no unexpected number of database rows are queried, and also back-ports sanitization to database connection values from trunk.

2.5 branch, for 2.5.14. Props jrf. Fixes #3148.

#3 @johnjamesjacoby
6 years ago

Milestone changed from Awaiting Review to 2.5.14
Priority changed from normal to high
Version changed from trunk to 2.5

Note: See TracTickets for help on using tickets.

Trac UI Preferences

Download in other formats:

bbPress.org