TYPO3.Flow - Bug #34527: Add method in repositories does also update - TYPO3 Forge

TYPO3 Flow Base Distribution Doctrine 2 Symfony.Component.DomCrawler Symfony.Component.Yaml TYPO3.Flow TYPO3.Fluid TYPO3.Kickstart TYPO3.Party TYPO3.Welcome Packages Applications

Bug #34527

Add method in repositories does also update

Added by Kira Backes over 1 year ago. Updated about 1 year ago.

Status:

Resolved

Start date:

2012-03-05

Priority:

Must have

Due date:

Assignee:

Karsten Dambekalns

% Done:

100%

Category:

Persistence

Target version:

TYPO3 Flow Base Distribution - 1.1 beta 2

PHP Version:

Complexity:

Has patch:

No

FLOW3 version affected:

Git 1.0

Votes:

1 (View)

Description

The add method in repositores does also update existing entities, this is a dangerous security flaw, as it allows an attacker to misuse creation forms (i.e. a register form) and change existing entities.

Associated revisions

Revision 2290d9fe
Added by Karsten Dambekalns about 1 year ago

[BUGFIX] PersistenceManager->add() now requires objects being new

The add method in repositories did also update existing entities,
this can be dangerous, as it allows an attacker to misuse creation
forms (i.e. a register form) and change existing entities.

Change-Id: I4f3bd277cb9a7444d75472ecb10844bf3d792f89
Fixes: #34527
Releases: 1.0, 1.1, 1.2

Revision 102cee20
Added by Karsten Dambekalns about 1 year ago

[TASK] Tweak wrong docblock in PersistenceManager->add()

The change to fix #34527 introduced a wrong @throws clause in
the method docblock.

Change-Id: If73c0b760b5d3dd89c65f2a629f56427e592dee4
Related: #34527
Releases: 1.1

Revision 96b49cb6
Added by Karsten Dambekalns about 1 year ago

[BUGFIX] Fix QueryTest using add twice for the same object

The new check for objects being added to persistence broke one
of the tests in the functional QueryTest. Turns out the test
was buggy, adding the same object twice (instead of a different
one).

Change-Id: Ia41f1497dfca6f06355c3b6c096929092c98d56e
Related: #34527
Releases: 1.1

Revision df6b6f45
Added by Karsten Dambekalns about 1 year ago

[BUGFIX] PersistenceManager->add() now requires objects being new

The add method in repositories did also update existing entities,
this can be dangerous, as it allows an attacker to misuse creation
forms (i.e. a register form) and change existing entities.

Change-Id: I4f3bd277cb9a7444d75472ecb10844bf3d792f89
Fixes: #34527
Releases: 1.0, 1.1, 1.2

Revision 8d4b3c70
Added by Karsten Dambekalns about 1 year ago

[BUGFIX] PersistenceManager->add() now requires objects being new

The add method in repositories did also update existing entities,
this can be dangerous, as it allows an attacker to misuse creation
forms (i.e. a register form) and change existing entities.

Change-Id: I4f3bd277cb9a7444d75472ecb10844bf3d792f89
Fixes: #34527
Releases: 1.0, 1.1, 1.2

History

#1
Updated by Andreas Förthner over 1 year ago

Project changed from TYPO3 Flow Base Distribution to TYPO3.Flow
Assignee set to Andreas Förthner

#2
Updated by Karsten Dambekalns over 1 year ago

Category set to Security
Status changed from New to Accepted
Has patch set to No
FLOW3 version affected changed from Git master to Git 1.0

Right, Doctrine doesn't differentiate between add and update in it's API. So we'd need to do this "on our side".

#3
Updated by Karsten Dambekalns about 1 year ago

Assignee changed from Andreas Förthner to Karsten Dambekalns
Target version set to 1.0.5

#4
Updated by Karsten Dambekalns about 1 year ago

Category changed from Security to Persistence

#5
Updated by Gerrit Code Review about 1 year ago

Status changed from Accepted to Under Review

Patch set 1 for branch FLOW3-1.1 has been pushed to the review server.
It is available at http://review.typo3.org/11595

#6
Updated by Karsten Dambekalns about 1 year ago

Target version changed from 1.0.5 to 1.1 beta 2

#7
Updated by Gerrit Code Review about 1 year ago

Patch set 2 for branch FLOW3-1.1 has been pushed to the review server.
It is available at http://review.typo3.org/11595

#8
Updated by Gerrit Code Review about 1 year ago

Patch set 3 for branch FLOW3-1.1 has been pushed to the review server.
It is available at http://review.typo3.org/11595

#9
Updated by Gerrit Code Review about 1 year ago

Patch set 1 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/11715

#10
Updated by Gerrit Code Review about 1 year ago

Patch set 1 for branch FLOW3-1.0 has been pushed to the review server.
It is available at http://review.typo3.org/11716

#11
Updated by Gerrit Code Review about 1 year ago

Patch set 2 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/11715

#12
Updated by Gerrit Code Review about 1 year ago

Patch set 2 for branch FLOW3-1.0 has been pushed to the review server.
It is available at http://review.typo3.org/11716

#13
Updated by Karsten Dambekalns about 1 year ago

Status changed from Under Review to Resolved
% Done changed from 0 to 100

Applied in changeset 2290d9febc7b7fc9a5bb0d67d8f89e97c8a345f0.

#14
Updated by Gerrit Code Review about 1 year ago

Status changed from Resolved to Under Review

Patch set 3 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/11715

#15
Updated by Gerrit Code Review about 1 year ago

Patch set 3 for branch FLOW3-1.0 has been pushed to the review server.
It is available at http://review.typo3.org/11716

#16
Updated by Karsten Dambekalns about 1 year ago

Status changed from Under Review to Resolved

#17
Updated by Gerrit Code Review about 1 year ago

Status changed from Resolved to Under Review

Patch set 4 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/11715

#18
Updated by Karsten Dambekalns about 1 year ago

Status changed from Under Review to Resolved

Applied in changeset 8d4b3c7099b597525ebb3406dbef0b9f204d67d2.

Also available in: Atom PDF