[CLK-726] bypass_validation opens security hole - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 2.2.0
Fix Version/s: 2.3.0-M1
Component/s: core
Labels:
None

Description

An attacker can easily bypass form validation by setting the hidden field "bypass_validation" to true. A call to form.isValid() returns true though the validators have not been run. If the software relies on the form validators, its easy to get "evil" data in the application.

Attachments

Activity

People

Assignee:: Bob Schellink

Reporter:: Moritz Kammerer

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 03/Nov/10 22:28

Updated:: 20/Nov/10 06:30

Resolved:: 20/Nov/10 06:30