ticket submit validation is broken for cnum

[phpxcache@…]

spam bots tends to submit data from their own client instead of a browser, and he can forge any data for any fields, and it looks like trac ticket system just accept it and store in db. but how come the ticket system complaint about invalidate data in ticket?

raise InvalidTicket?('Invalid comment threading identifier')

suggested fixes:

• validate data before submit
• when data corrupted/invalidated, trac should ignore it and/or fill a default data.

[nkantrowitz]

Data is indeed validated on the way in (http://trac.edgewall.org/browser/trunk/trac/ticket/web_ui.py#L712). Ignoring invalid data when you know it didn't get there via normal channels (since that is checked) is a very bad idea. Generally failures on that end would be due to either manual database operations or corruption. In either case the best option is to alert the user, who can in turn alert an admin. The validation system is also modular (see ITicketManipulator), so you can add new input rules if you need.

[phpxcache@…]

i'm sure it's broken

See ​http://www.hosted-projects.com/trac/TracDemo/Demo/ticket/295

reproduce

1. create ticket
2. view the ticket
3. save the page html code as 295.htm, and add {{{<base href="​http://www.hosted-projects.com/trac/TracDemo/Demo/ticket/295" />

}}} right after <head>

5. load 295.htm, fill cnum field with non numeric data
6. submit, and view the ticket. gotcha!

[phpxcache@…]

it seems fixed in 0.10.4