Closed
Bug 356781
Opened 18 years ago
Closed 18 years ago
Rating values are not bounds-checked
Categories
(addons.mozilla.org Graveyard :: Public Pages, defect)
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: Mook, Assigned: fligtar)
References
()
Details
Attachments
(1 file)
1.16 KB,
patch
|
morgamic
:
first-review+
|
Details | Diff | Splinter Review |
There has been at least two instances where people submitted a rating of 255 to extensions. The range for the rating should be bounded to the valid values. (Sorry, I'm not sure if that's the right file, but the highlight should illustrate the problem)
Assignee | ||
Comment 1•18 years ago
|
||
The two comments Mook is referring to are: https://addons.mozilla.org/firefox/1202/ https://addons.mozilla.org/firefox/60/ I checked my DB dump from Oct 12 and there were no values above 5. I'll work on a patch for this now, and hopefully we can push with the tshirt update tomorrow (Monday).
Assignee: nobody → fligtar
Severity: normal → major
OS: Windows XP → All
Hardware: PC → All
Assignee | ||
Comment 2•18 years ago
|
||
This patch prevents people from giving ratings less than 0 or greater than 5 via post data tampering. Also, the following SQL should be run: UPDATE `feedback` SET `CommentVote`='5' WHERE `CommentVote`>5; (and just out of curiosity, could ops tell us how many rows that affects?)
Attachment #242375 -
Flags: first-review?(morgamic)
Assignee | ||
Updated•18 years ago
|
Status: NEW → ASSIGNED
Comment 3•18 years ago
|
||
Comment on attachment 242375 [details] [diff] [review] patch for addcomment Looks good.
Attachment #242375 -
Flags: first-review?(morgamic) → first-review+
Assignee | ||
Comment 4•18 years ago
|
||
This has been pushed to production.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 5•18 years ago
|
||
Verifying - cannot post an out of bounds rating by tampering with form data, and the offending ratings have been reduced to 5.
Group: update-security
Status: RESOLVED → VERIFIED
Took some additional prodding to get the add-ons' average ratings to update. Good work getting this fixed fligtar, and thanks for reporting it Mook.
Updated•8 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•