Joomla 4 -> Add Article -> Save
Edit same article
Edit HTML of the page with inspector tools
change the value of jform_created_by_id
field
<input type="hidden" id="jform_created_by_id" name="jform[created_by]" value="Mr Hacker" class="field-user-input " data-onchange="">
Validation before hitting the database with a "string"
Save failed with the following error: Incorrect integer value: 'Mr Hacker' for column 'created_by' at row 1
Do the same again, but this time use a non valid integer number like 999999
<input type="hidden" id="jform_created_by_id" name="jform[created_by]" value="999999" class="field-user-input " data-onchange="">
Save.
NOTE THAT 999999 PERSISTS IN THE DATABASE!!!!!!!! This id is invalid, its not a user id of an existing user.
Labels |
Added:
?
|
Related #29855
In so much as the user not found message only - but the real reason for opening this issue was not for that - it was to highlight the complete lack of validation that is allowing a string to get as far as an integer database column, unfiltered and un checked. I should also NOT be able to set a new user id, of a user that doesn't exist.
Probably should have been an email to @joomla/security but I had already posted before I realised the true depth of this issue.
Labels |
Added:
J4 Issue
|
I assume this isn't specific to J4?
Status | New | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2020-12-18 05:03:34 |
Closed_By | ⇒ | wilsonge |
Like all validation in Joomla it is broken. I've banged my head against a brick wall for 18 months over this trying to convince people