From 106fcaedf731db2808dbc97febaae410f000e446 Mon Sep 17 00:00:00 2001 From: Colin Kuskie Date: Mon, 11 Oct 2010 13:11:56 -0700 Subject: [PATCH] Fix a form injection problem with the EMS. Addresses bug #11773. --- docs/changelog/7.x.x.txt | 1 + lib/WebGUI/Asset/Wobject/EventManagementSystem.pm | 6 ++++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/changelog/7.x.x.txt b/docs/changelog/7.x.x.txt index 78aaf0e40..47500b6d6 100644 --- a/docs/changelog/7.x.x.txt +++ b/docs/changelog/7.x.x.txt @@ -2,6 +2,7 @@ - fixed #11903: Unnecessary debug in Thingy - fixed #11908: Inbox messages linger after deleting a user - fixed #11909: Wrong message count in the inbox + - fixed #11773: Form injection in the EMS event ordering code. 7.10.2 - fixed #11884: Editing Templates impossible / Code editor not loaded diff --git a/lib/WebGUI/Asset/Wobject/EventManagementSystem.pm b/lib/WebGUI/Asset/Wobject/EventManagementSystem.pm index 81ef87a67..a47d10ba7 100644 --- a/lib/WebGUI/Asset/Wobject/EventManagementSystem.pm +++ b/lib/WebGUI/Asset/Wobject/EventManagementSystem.pm @@ -2456,7 +2456,8 @@ Method to move an event down one position in display order sub www_moveEventMetaFieldDown { my $self = shift; return $self->session->privilege->insufficient unless ($self->canEdit); - $self->moveCollateralDown('EMSEventMetaField', 'fieldId', $self->session->form->get("fieldId")); + my $fieldId = $self->session->form->get("fieldId"); + $self->moveCollateralDown('EMSEventMetaField', 'fieldId', $fieldId); return $self->www_manageEventMetaFields; } @@ -2471,7 +2472,8 @@ Method to move an event metdata field up one position in display order sub www_moveEventMetaFieldUp { my $self = shift; return $self->session->privilege->insufficient unless ($self->canEdit); - $self->moveCollateralUp('EMSEventMetaField', 'fieldId', $self->session->form->get("fieldId")); + my $fieldId = $self->session->form->get("fieldId"); + $self->moveCollateralUp('EMSEventMetaField', 'fieldId', $fieldId); return $self->www_manageEventMetaFields; }