-
Type:
Bug
-
Status: Closed (View Workflow)
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 2.10 Larks
-
Fix Version/s: 2.12 Larks
-
Labels:None
-
Sprint:2.12 Larks
Precondition
- install Web Developer plugin for your browser
Steps to reproduce:
- Login and open Create Topic page
- Go to "Ending date" field.
- Convert the field to textarea using WebDeveloper plugin (Forms -> Convert Text Inputs to Textsreas)
- Type any sql-injection, for example: 1' OR '1'='1
- Press "Save" button
Actual result: Following error message appears:
Failed to convert property value of type java.lang.String to required type org.joda.time.DateTime for property topic.poll.endingDate; nested exception is java.lang.IllegalArgumentException: Invalid format: "1 OR 1=1" is malformed at " OR 1=1"
Expected result: user-friendly error message is shown, for ex.
EN: "Please, choose the correct date"
RU: "Пожалуйста, выберите корректную дату"
CR need
Andrei Alikov, please review the change.
Andrey Ivanov In my opinion it is better to use the isEmpty() method instead of the text.equals(""). Also it is better to include only the parseDateTime(text) method into the "try-catch" block. If the forPattern(this.format) method will throw the exception - it can mean that we have some problem in the implementation.
Andrei Alikov could you do code review again please? Also pay attention you should review commit - 63eb4903dfa011ceb302e7c9390a562bc756c467 because I wrote down incorrect task name in commit message
Review completed.
Code looks fine, also the "Expected result: user-friendly error message is shown, for ex." is not implemented but in my opinion it is OK because manual editing of the form elements is not behavior we expect from the typical user. Current implementation just creates the poll without end date.
Test Environment
JCommune 2.12.2615.1d04e75
Firefox 33.0
Test Scenario
Precondition
- install Web Developer plugin for your browser
- Login as user
- Go to branch where user can create and view topics
Steps to reproduce:
- Click Create Topic button
- Convert the field to textarea using WebDeveloper plugin (Forms -> Convert Text Inputs to Textsreas)
- Fill all fields except "Ending date" field with valid random data (I.e. this_is_poll )
- Fill "Ending date" field with any sql-injection (I.e. 1' OR '1'='1 )
- Press "Save" button
Actual result=Expected result: New topic is created with poll without time limit for voting
Regression tests:
| № | Test | Result |
|---|---|---|
| 1 | Possibility to create polls without Ending date | PASS |
| 2 | Possibility to create poll with time limit | PASS |
| 3 | Possibility to create poll with non-datetime data in "Ending date" field | PASS |
Test results:
Issue can be closed
SUCCESS: Integrated in
JC. Unit Tests #2588
#
JC-1964: Fix IllegalArgumentException in JodaTime in DateTimeEditor (a.ivanov: 27cea4c19aed0d2ac3d5e03d7ea3b308fb747d1a)