Rating values are not bounds-checked

VERIFIED FIXED

Status

addons.mozilla.org Graveyard
Public Pages
--
major
VERIFIED FIXED
12 years ago
2 years ago

People

(Reporter: Mook, Assigned: fligtar)

Tracking

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

12 years ago
There has been at least two instances where people submitted a rating of 255 to extensions.  The range for the rating should be bounded to the valid values.

(Sorry, I'm not sure if that's the right file, but the highlight should illustrate the problem)
(Assignee)

Comment 1

12 years ago
The two comments Mook is referring to are:
https://addons.mozilla.org/firefox/1202/
https://addons.mozilla.org/firefox/60/

I checked my DB dump from Oct 12 and there were no values above 5. I'll work on a patch for this now, and hopefully we can push with the tshirt update tomorrow (Monday).
Assignee: nobody → fligtar
Severity: normal → major
OS: Windows XP → All
Hardware: PC → All
(Assignee)

Comment 2

12 years ago
Created attachment 242375 [details] [diff] [review]
patch for addcomment

This patch prevents people from giving ratings less than 0 or greater than 5 via post data tampering.

Also, the following SQL should be run:
UPDATE `feedback` SET `CommentVote`='5' WHERE `CommentVote`>5;

(and just out of curiosity, could ops tell us how many rows that affects?)
Attachment #242375 - Flags: first-review?(morgamic)
(Assignee)

Updated

12 years ago
Status: NEW → ASSIGNED
Comment on attachment 242375 [details] [diff] [review]
patch for addcomment

Looks good.
Attachment #242375 - Flags: first-review?(morgamic) → first-review+
(Assignee)

Comment 4

12 years ago
This has been pushed to production.
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
(Assignee)

Comment 5

12 years ago
Verifying - cannot post an out of bounds rating by tampering with form data, and the offending ratings have been reduced to 5.
Group: update-security
Status: RESOLVED → VERIFIED

Comment 6

12 years ago
Took some additional prodding to get the add-ons' average ratings to update. Good work getting this fixed fligtar, and thanks for reporting it Mook.
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.