Edgewall Software
Modify

Opened 13 years ago

Closed 13 years ago

Last modified 13 years ago

#5826 closed defect (invalid)

ticket submit validation is broken for cnum

Reported by: phpxcache@… Owned by: Jonas Borgström
Priority: normal Milestone:
Component: ticket system Version: 0.10.4
Severity: normal Keywords:
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:

Description

spam bots tends to submit data from their own client instead of a browser, and he can forge any data for any fields, and it looks like trac ticket system just accept it and store in db. but how come the ticket system complaint about invalidate data in ticket?

raise InvalidTicket('Invalid comment threading identifier')

suggested fixes:

  • validate data before submit
  • when data corrupted/invalidated, trac should ignore it and/or fill a default data.

Attachments (0)

Change History (4)

comment:1 by Noah Kantrowitz, 13 years ago

Resolution: worksforme
Status: newclosed

Data is indeed validated on the way in (http://trac.edgewall.org/browser/trunk/trac/ticket/web_ui.py#L712). Ignoring invalid data when you know it didn't get there via normal channels (since that is checked) is a very bad idea. Generally failures on that end would be due to either manual database operations or corruption. In either case the best option is to alert the user, who can in turn alert an admin. The validation system is also modular (see ITicketManipulator), so you can add new input rules if you need.

comment:2 by phpxcache@…, 13 years ago

Resolution: worksforme
Status: closedreopened
Summary: ticket submit validationticket submit validation is broken for cnum

i'm sure it's broken

See http://www.hosted-projects.com/trac/TracDemo/Demo/ticket/295

reproduce

  1. create ticket
  2. view the ticket
  3. save the page html code as 295.htm, and add {{{<base href="http://www.hosted-projects.com/trac/TracDemo/Demo/ticket/295" />

}}} right after <head>

  1. load 295.htm, fill cnum field with non numeric data
  2. submit, and view the ticket. gotcha!

comment:3 by phpxcache@…, 13 years ago

Resolution: invalid
Status: reopenedclosed

it seems fixed in 0.10.4

comment:4 by Emmanuel Blot, 13 years ago

Milestone: 0.10.5

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Jonas Borgström.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Jonas Borgström to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.