Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Fixed
-
Nightly Build
-
None
-
Operating System: other
Platform: Other
-
14800
Description
The logic for getting an initial value for a form-property was flawed, in this
sense: If the initial value was a array, the initial() call would clone the
array but not the values in the array, meaning that all copies of the form
that used this property would share the same objects. This is a MAJOR
security hole, as it means that people can end up seeing other people's credit
card numbers, etc.
I've changed it to always compute the initial value again, rather than trying
to cache it. I've also removed the now-unused "initialized" property.
This patch also adds a form-property parameter called size. If it is
specified, the type must specify an array. It causes the property value to be
initialized to an array of the appropriate size, with newly instantiated
copies of the appropriate object type.
The addition of "size" has been "Official Approved by Craig", for what that's
worth, in that we talked about it at ApacheCon and he agreed it should be
added.