SiT! Bugs - SiT!
View Issue Details
0000130SiT!otherpublic2008-07-21 16:382010-03-27 12:31
ivan 
ivan 
normalmajoralways
closedfixed 
 
3.60 LTS3.60 LTS 
0000130: $_SESSION['formdata'] contains raw input with no checking
Session formdata (which is used for returning data to forms when an input error has occurred) contains raw GET or POST data, tags are not stripped etc.

e.g.
$_SESSION['formdata']['add_task'] = $_POST;

This is then used in the form e.g.
echo "value='{$_SESSION['formdata']['add_task']['name']}'";

This is potentially very dangerous, we should cleanvar these variables before use.
We need to work out cleanvar() or equiv. for the following data input/output cases

HTML form -> database, database -> HTML form, HTML form -> HTML form (the formdata), HTML form -> email, database -> email, email -> database

The test data at http://sitracker.org/wiki/Development/Test_Data [^] should be able to be input/stored and edited in every form, and also accepted as email in, and ok in email out.
No tags attached.
Issue History
2008-07-21 16:38ivanNew Issue
2008-10-07 11:14paulhNote Added: 0000109
2008-10-07 11:14paulhAssigned To => ivan
2008-10-07 11:14paulhStatusnew => feedback
2008-10-23 15:44ivanNote Added: 0000130
2008-10-28 09:27ivanTarget Version3.40 => 3.41
2008-10-28 09:27ivanAdditional Information Updated
2008-11-18 11:46ivanNote Added: 0000195
2008-11-18 11:46ivanSeverityblock => major
2008-11-29 23:32kieranTarget Version3.41 => 3.45
2009-01-28 15:17paulhTarget Version3.45 => 3.50
2009-05-29 14:48ivanAdditional Information Updated
2009-05-29 14:57ivanNote Added: 0001153
2009-05-29 14:57ivanStatusfeedback => assigned
2009-05-29 14:57ivanTarget Version3.50 => 3.60
2010-03-20 16:11ivanFixed in Version3.60 LTS => Current SVN
2010-03-20 16:11ivanNote Added: 0002751
2010-03-20 16:11ivanStatusassigned => resolved
2010-03-20 16:11ivanFixed in Version => 3.60 LTS
2010-03-20 16:11ivanResolutionopen => fixed
2010-03-23 21:39ivanNote Added: 0002845
2010-03-27 11:16ivanFixed in VersionCurrent SVN => 3.60 LTS
2010-03-27 12:31ivanStatusresolved => closed

Notes
(0000109)
paulh   
2008-10-07 11:14   
Need to check all vars got are clean
(0000130)
ivan   
2008-10-23 15:44   
Adding a contact with surname O'Neil and then editing that contact causes the surname to be munged.
(0000195)
ivan   
2008-11-18 11:46   
This isn't a blocking bug, it's not great but it's not that bad.
(0001153)
ivan   
2009-05-29 14:57   
Still fails for the test data in most cases, but it's not fatal and it's not very high visibility, bumping to 3.60 release as we don't have time left for this.
(0002751)
ivan   
2010-03-20 16:11   
Fixed in 3.x svn r6291
(0002845)
ivan   
2010-03-23 21:39   
Fixed in git 8cb65b3