Details
-
Improvement
-
Status: Closed
-
Minor
-
Resolution: Not A Problem
-
0.95.2
-
None
-
None
-
None
Description
shell currently validates whatever metadata user provides as argument to alter, however while looking at some other issue I noticed that user and system metadata is stored in the same dictionary in the descriptor, so shell validation is easy to bypass by setting a "user" metadata parameter with the same name as the system parameter.
E.g. I just set MAX_FILESIZE to "moo" via CONFIG.
This can be fixed in the shell, however the general problem I think is that system configuration should be validated server-side (e.g. on the master), not just on the client.