J4 Issue ?
avatar PhilETaylor
PhilETaylor
7 Oct 2020

Steps to reproduce the issue

Joomla 4 -> Add Article -> Save
Edit same article
Edit HTML of the page with inspector tools

change the value of jform_created_by_id field

<input type="hidden" id="jform_created_by_id" name="jform[created_by]" value="Mr Hacker" class="field-user-input " data-onchange="">

Expected result

Validation before hitting the database with a "string"

Actual result

Save failed with the following error: Incorrect integer value: 'Mr Hacker' for column 'created_by' at row 1

Screenshot 2020-10-07 at 02 06 13

Additional comments

Do the same again, but this time use a non valid integer number like 999999

<input type="hidden" id="jform_created_by_id" name="jform[created_by]" value="999999" class="field-user-input " data-onchange="">

Save.

NOTE THAT 999999 PERSISTS IN THE DATABASE!!!!!!!! This id is invalid, its not a user id of an existing user.

Screenshot 2020-10-07 at 02 07 57

avatar PhilETaylor PhilETaylor - open - 7 Oct 2020
avatar joomla-cms-bot joomla-cms-bot - change - 7 Oct 2020
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 7 Oct 2020
avatar brianteeman
brianteeman - comment - 7 Oct 2020

Like all validation in Joomla it is broken. I've banged my head against a brick wall for 18 months over this trying to convince people

avatar Quy
Quy - comment - 7 Oct 2020

Related #29855

avatar PhilETaylor
PhilETaylor - comment - 7 Oct 2020

Related #29855

In so much as the user not found message only - but the real reason for opening this issue was not for that - it was to highlight the complete lack of validation that is allowing a string to get as far as an integer database column, unfiltered and un checked. I should also NOT be able to set a new user id, of a user that doesn't exist.

Probably should have been an email to @joomla/security but I had already posted before I realised the true depth of this issue.

avatar jwaisner jwaisner - change - 2 Nov 2020
Labels Added: J4 Issue
avatar jwaisner jwaisner - labeled - 2 Nov 2020
avatar wilsonge
wilsonge - comment - 18 Dec 2020

I assume this isn't specific to J4?

avatar wilsonge wilsonge - close - 18 Dec 2020
avatar wilsonge
wilsonge - comment - 18 Dec 2020

Pull request for J4 anyhow #31698

avatar wilsonge wilsonge - change - 18 Dec 2020
Status New Closed
Closed_Date 0000-00-00 00:00:00 2020-12-18 05:03:34
Closed_By wilsonge

Add a Comment

Login with GitHub to post a comment