Click
  1. Click
  2. CLK-726

bypass_validation opens security hole

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.2.0
    • Fix Version/s: 2.3.0-M1
    • Component/s: core
    • Labels:
      None

      Description

      An attacker can easily bypass form validation by setting the hidden field "bypass_validation" to true. A call to form.isValid() returns true though the validators have not been run. If the software relies on the form validators, its easy to get "evil" data in the application.

        Activity

          People

          • Assignee:
            Bob Schellink
            Reporter:
            Moritz Kammerer
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development