Skip to:
Content

Opened 9 months ago

Closed 9 months ago

Last modified 9 months ago

#3148 closed defect (fixed)

Convertor: Validate the received value for 'Rows Limit"

Reported by: jrf Owned by: johnjamesjacoby
Milestone: 2.5.14 Priority: high
Severity: normal Version: 2.5
Component: API - Importers Keywords: has-patch
Cc: johnjamesjacoby, jrf

Description

According to the HTML, the row limit is supported to be between 1 and 5000. Currently this value was not being validated, so negative values or very high values could be passed via a script or when a browser would disregard the min/max as indicated in the HTML.

As a best practice, input should be validated server side anyway.

This minor change adds the necessary validation and ensures that the value is always between 1 and 5000.

Attachments (1)

trac-3148-validate-min-max-rows.patch (513 bytes) - added by jrf 9 months ago.

Download all attachments as: .zip

Change History (4)

#1 @johnjamesjacoby
9 months ago

In 6661:

Converter: bind number-of-rows attribute to between 1 and 5000.

This change adds validation to ensure no unexpected number of database rows are queried.

Trunk, for 2.6. Props jrf. See #3148.

#2 @johnjamesjacoby
9 months ago

  • Owner set to johnjamesjacoby
  • Resolution set to fixed
  • Status changed from new to closed

In 6662:

Converter: bind number-of-rows attribute to between 1 and 5000.

This change adds validation to ensure no unexpected number of database rows are queried, and also back-ports sanitization to database connection values from trunk.

2.5 branch, for 2.5.14. Props jrf. Fixes #3148.

#3 @johnjamesjacoby
9 months ago

  • Milestone changed from Awaiting Review to 2.5.14
  • Priority changed from normal to high
  • Version changed from trunk to 2.5
Note: See TracTickets for help on using tickets.