[JC-1964] SQL injection leads to exception instead of error message - JTalks JIRA

Voters

Watchers

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 2.10 Larks
Fix Version/s: 2.12 Larks
Labels:
None

Sprint:
2.12 Larks

Description

Precondition

install Web Developer plugin for your browser

Steps to reproduce:

Login and open Create Topic page
Go to "Ending date" field.
Convert the field to textarea using WebDeveloper plugin (Forms -> Convert Text Inputs to Textsreas)
Type any sql-injection, for example: 1' OR '1'='1
Press "Save" button

Actual result: Following error message appears:

Failed to convert property value of type java.lang.String to required type org.joda.time.DateTime for property topic.poll.endingDate; nested exception is java.lang.IllegalArgumentException: Invalid format: "1 OR 1=1" is malformed at " OR 1=1"

Expected result: user-friendly error message is shown, for ex.
EN: "Please, choose the correct date"
RU: "Пожалуйста, выберите корректную дату"

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

Sql-injection.jpg
205 kB
15/Aug/14 2:48 PM

Structure

Activity

People

Assignee:

Pavlov Pasha (Inactive)

Reporter:

Irina

Votes:

0 Vote for this issue

Watchers:

7 Start watching this issue

Dates

Created:

15/Aug/14 1:51 PM

Updated:

25/Oct/14 1:17 AM

Resolved:

21/Oct/14 10:37 AM

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

1h 40m

Details

Description

Attachments

Attachments

Structure

Activity

People

Dates

Time Tracking

Structure Helper Panel