fixed: user profile defaults can contain arbitrary perl code
This commit is contained in:
Graham Knop
parent
93a6dc0568
commit
f4f6d19e96
3 changed files with 60 additions and 23 deletions
16
t/User.t
16
t/User.t
|
|
@ -430,6 +430,21 @@ $buster->uncache;
|
|||
$buster3 = WebGUI::User->new($session, $buster->userId);
|
||||
is($buster3->profileField('listProfile'), 'alpha', 'profile field with default data value that is a list gives the user the first value');
|
||||
|
||||
################################################################
|
||||
#
|
||||
# Attempt to eval userProfileData
|
||||
#
|
||||
################################################################
|
||||
|
||||
my %evalProfile = %copiedAliasProfile;
|
||||
$evalProfile{'fieldName'} = 'evalProfile';
|
||||
$evalProfile{'dataDefault'} = q!$session->scratch->set('hack','true'); 1;!;
|
||||
my $evalProfileField = WebGUI::ProfileField->create($session, 'evalProfile', \%evalProfile);
|
||||
|
||||
$buster->uncache;
|
||||
my $buster4 = WebGUI::User->new($session, $buster->userId);
|
||||
is($session->scratch->get('hack'), undef, 'userProfile dataDefault is not executed when creating users');
|
||||
|
||||
################################################################
|
||||
#
|
||||
# getGroups
|
||||
|
|
@ -608,6 +623,7 @@ END {
|
|||
$profileField->set(\%originalFieldData);
|
||||
$aliasProfile->set(\%originalAliasProfile);
|
||||
$listProfileField->delete;
|
||||
$evalProfileField->delete;
|
||||
$visitor->profileField('email', $originalVisitorEmail);
|
||||
|
||||
$newProfileField->delete();
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue