oqapi/webgui
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Bugfix 859816: DataForm - security issues

Browse source
This commit is contained in:
Len Kranendonk 2003-12-14 12:32:34 +00:00
parent adef55be5f
commit a62d7c3fbe
2 changed files with 3 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

1
docs/changelog/6.x.x.txt
View file

@ -22,5 +22,6 @@
(Thanks to Mihai Bazon.) (Thanks to Mihai Bazon.)
- Updated the Form subsystem to use the new calendar for date and time - Updated the Form subsystem to use the new calendar for date and time
fields. fields.
- Bugfix 859816 : DataForm - security issues. Tnx Gabor for reporting.

3
lib/WebGUI/Wobject/DataForm.pm
View file

@ -615,8 +615,9 @@ sub www_process {
my $sth = WebGUI::SQL->read("select DataForm_fieldId,label,name,status,type,defaultValue,isMailField from DataForm_field my $sth = WebGUI::SQL->read("select DataForm_fieldId,label,name,status,type,defaultValue,isMailField from DataForm_field
where wobjectId=".$_[0]->get("wobjectId")." order by sequenceNumber"); where wobjectId=".$_[0]->get("wobjectId")." order by sequenceNumber");
while (%row = $sth->hash) { while (%row = $sth->hash) {
my $value = WebGUI::FormProcessor::process($row{name},$row{type},$row{defaultValue}); my $value = $row{defaultValue};
if ($row{status} eq "required" || $row{status} eq "editable") { if ($row{status} eq "required" || $row{status} eq "editable") {
$value = WebGUI::FormProcessor::process($row{name},$row{type},$row{defaultValue});
$value = WebGUI::Macro::filter($value); $value = WebGUI::Macro::filter($value);
} }
if ($row{status} eq "required" && ($value =~ /^\s$/ || $value eq "" || not defined $value)) { if ($row{status} eq "required" && ($value =~ /^\s$/ || $value eq "" || not defined $value)) {