[#14210] - [com_fields] [3.7b3] [SECURITY] SQL Field by default lists User Id's and User Names
- Closed
- 23 Feb 2017
- Medium
- Build: staging
- # 14210
Steps to reproduce the issue
Create a new SQL field, without specifying a SQL query. Save it (cause you are a dumb admin, or busy, or any other reason you dont know what you are doing)
A visitor on the front end, logs in, (with permission to edit/contribute/author kind of perms) edits an article
The SQL is hard coded here:
https://github.com/joomla/joomla-cms/blob/staging/plugins/fields/sql/sql.php#L48
and here:
https://github.com/joomla/joomla-cms/blob/staging/plugins/fields/sql/tmpl/sql.php#L32
Expected result
That Joomla doesn't hand that frontend user (could be a hacker!) a complete list of all user id integers and their associated user Name's
Actual result
A dropdown list is provided of the user id and user name of each and EVERY user registered in the Joomla site. With No limit on the number either!
joomla-cms-bot
- | Labels |
Added:
?
|
||
i'm on a PR that makes the query parameter required and removing the default values.
Probably because I complained that without a SQL query it gave an error message last time ;-)
So you're the guilty one
see here @PhilETaylor #14214
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2017-02-23 18:36:14 |
| Closed_By | ⇒ | zero-24 |
Agreed, it actually shouldn't have any default values at all. Not sure why it has one.