356781 - Rating values are not bounds-checked

Status: VERIFIED FIXED

(addons.mozilla.org Graveyard :: Public Pages, defect)

Description

[:Mook]

There has been at least two instances where people submitted a rating of 255 to extensions.  The range for the rating should be bounded to the valid values.

(Sorry, I'm not sure if that's the right file, but the highlight should illustrate the problem)

Comment 1

[Justin Scott [:fligtar]]

The two comments Mook is referring to are:
https://addons.mozilla.org/firefox/1202/
https://addons.mozilla.org/firefox/60/

I checked my DB dump from Oct 12 and there were no values above 5. I'll work on a patch for this now, and hopefully we can push with the tshirt update tomorrow (Monday).

Comment 2

[Justin Scott [:fligtar]]

Attachment: patch for addcomment

This patch prevents people from giving ratings less than 0 or greater than 5 via post data tampering.

Also, the following SQL should be run:
UPDATE `feedback` SET `CommentVote`='5' WHERE `CommentVote`>5;

(and just out of curiosity, could ops tell us how many rows that affects?)

Comment 3

[Michael Morgan [:morgamic]]

Comment on attachment 242375 [details] [diff] [review]
patch for addcomment

Looks good.

Comment 4

[Justin Scott [:fligtar]]

This has been pushed to production.

Comment 5

[Justin Scott [:fligtar]]

Verifying - cannot post an out of bounds rating by tampering with form data, and the offending ratings have been reduced to 5.

Comment 6

[Cameron]

Took some additional prodding to get the add-ons' average ratings to update. Good work getting this fixed fligtar, and thanks for reporting it Mook.