oqapi/webgui
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fixed two security problems with www_process in DataForm.pm

Browse source
This commit is contained in:
Matthew Wilson 2006-03-09 23:05:11 +00:00
parent ef7d7c5f6f
commit c5c5f93b76
1 changed files with 2 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
lib/WebGUI/Asset/Wobject/DataForm.pm
View file

@ -1069,6 +1069,7 @@ sub www_moveTabLeft {
#-------------------------------------------------------------------
sub www_process {
my $self = shift;
return $self->session->privilege->insufficient() unless $self->canView;
my $entryId = $self->setCollateral("DataForm_entry","DataForm_entryId",{
DataForm_entryId=>$self->session->form->process("entryId"),
assetId=>$self->getId,
@ -1106,7 +1107,7 @@ sub www_process {
and DataForm_fieldId=".$self->session->db->quote($row{DataForm_fieldId}));
if ($exists) {
$self->session->db->write("update DataForm_entryData set value=".$self->session->db->quote($value)."
where DataForm_entryId=".$self->session->db->quote($entryId)." and DataForm_fieldId=".$self->session->db->quote($row{DataForm_fieldId}));
where DataForm_entryId=".$self->session->db->quote($entryId)." and DataForm_fieldId=".$self->session->db->quote($row{DataForm_fieldId})) if $self->canEdit;
$updating = 1;
} else {
$self->session->db->write("insert into DataForm_entryData (DataForm_entryId,DataForm_fieldId,assetId,value) values