Bug #34527

Add method in repositories does also update

Added by Kira Backes over 3 years ago. Updated about 3 years ago.

Status:Resolved Start date:2012-03-05
Priority:Must have Due date:
Assigned To:Karsten Dambekalns % Done:

100%
Category:Persistence
Target version:TYPO3 Flow Base Distribution - 1.1 beta 2
PHP Version: Complexity:
Has patch:No Affected Flow version:Git 1.0

Description

The add method in repositores does also update existing entities, this is a dangerous security flaw, as it allows an attacker to misuse creation forms (i.e. a register form) and change existing entities.

Associated revisions

Revision 2290d9fe
Added by Karsten Dambekalns about 3 years ago

[BUGFIX] PersistenceManager->add() now requires objects being new

The add method in repositories did also update existing entities,
this can be dangerous, as it allows an attacker to misuse creation
forms (i.e. a register form) and change existing entities.

Change-Id: I4f3bd277cb9a7444d75472ecb10844bf3d792f89
Fixes: #34527
Releases: 1.0, 1.1, 1.2

Revision 102cee20
Added by Karsten Dambekalns about 3 years ago

[TASK] Tweak wrong docblock in PersistenceManager->add()

The change to fix #34527 introduced a wrong @throws clause in
the method docblock.

Change-Id: If73c0b760b5d3dd89c65f2a629f56427e592dee4
Related: #34527
Releases: 1.1

Revision 96b49cb6
Added by Karsten Dambekalns about 3 years ago

[BUGFIX] Fix QueryTest using add twice for the same object

The new check for objects being added to persistence broke one
of the tests in the functional QueryTest. Turns out the test
was buggy, adding the same object twice (instead of a different
one).

Change-Id: Ia41f1497dfca6f06355c3b6c096929092c98d56e
Related: #34527
Releases: 1.1

Revision df6b6f45
Added by Karsten Dambekalns about 3 years ago

[BUGFIX] PersistenceManager->add() now requires objects being new

The add method in repositories did also update existing entities,
this can be dangerous, as it allows an attacker to misuse creation
forms (i.e. a register form) and change existing entities.

Change-Id: I4f3bd277cb9a7444d75472ecb10844bf3d792f89
Fixes: #34527
Releases: 1.0, 1.1, 1.2

Revision 8d4b3c70
Added by Karsten Dambekalns about 3 years ago

[BUGFIX] PersistenceManager->add() now requires objects being new

The add method in repositories did also update existing entities,
this can be dangerous, as it allows an attacker to misuse creation
forms (i.e. a register form) and change existing entities.

Change-Id: I4f3bd277cb9a7444d75472ecb10844bf3d792f89
Fixes: #34527
Releases: 1.0, 1.1, 1.2

History

#1 Updated by Andreas Förthner over 3 years ago

  • Project changed from TYPO3 Flow Base Distribution to TYPO3.Flow
  • Assigned To set to Andreas Förthner

#2 Updated by Karsten Dambekalns over 3 years ago

  • Category set to Security
  • Status changed from New to Accepted
  • Has patch set to No
  • Affected Flow version changed from Git master to Git 1.0

Right, Doctrine doesn't differentiate between add and update in it's API. So we'd need to do this "on our side".

#3 Updated by Karsten Dambekalns over 3 years ago

  • Assigned To changed from Andreas Förthner to Karsten Dambekalns
  • Target version set to 1.0.5

#4 Updated by Karsten Dambekalns over 3 years ago

  • Category changed from Security to Persistence

#5 Updated by Gerrit Code Review about 3 years ago

  • Status changed from Accepted to Under Review

Patch set 1 for branch FLOW3-1.1 has been pushed to the review server.
It is available at http://review.typo3.org/11595

#6 Updated by Karsten Dambekalns about 3 years ago

  • Target version changed from 1.0.5 to 1.1 beta 2

#7 Updated by Gerrit Code Review about 3 years ago

Patch set 2 for branch FLOW3-1.1 has been pushed to the review server.
It is available at http://review.typo3.org/11595

#8 Updated by Gerrit Code Review about 3 years ago

Patch set 3 for branch FLOW3-1.1 has been pushed to the review server.
It is available at http://review.typo3.org/11595

#9 Updated by Gerrit Code Review about 3 years ago

Patch set 1 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/11715

#10 Updated by Gerrit Code Review about 3 years ago

Patch set 1 for branch FLOW3-1.0 has been pushed to the review server.
It is available at http://review.typo3.org/11716

#11 Updated by Gerrit Code Review about 3 years ago

Patch set 2 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/11715

#12 Updated by Gerrit Code Review about 3 years ago

Patch set 2 for branch FLOW3-1.0 has been pushed to the review server.
It is available at http://review.typo3.org/11716

#13 Updated by Karsten Dambekalns about 3 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#14 Updated by Gerrit Code Review about 3 years ago

  • Status changed from Resolved to Under Review

Patch set 3 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/11715

#15 Updated by Gerrit Code Review about 3 years ago

Patch set 3 for branch FLOW3-1.0 has been pushed to the review server.
It is available at http://review.typo3.org/11716

#16 Updated by Karsten Dambekalns about 3 years ago

  • Status changed from Under Review to Resolved

#17 Updated by Gerrit Code Review about 3 years ago

  • Status changed from Resolved to Under Review

Patch set 4 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/11715

#18 Updated by Karsten Dambekalns about 3 years ago

  • Status changed from Under Review to Resolved

Also available in: Atom PDF