Development

#445 ([PATCH] No pagination when page set to 0 (possible DOS attack))

You must first sign up to be able to contribute.

Ticket #445 (closed defect: fixed)

Opened 3 years ago

Last modified 3 years ago

[PATCH] No pagination when page set to 0 (possible DOS attack)

Reported by: Mike Squire Assigned to:
Priority: critical Milestone: 0.6.2
Component: Version: 0.7.X
Keywords: Cc:
Qualification:

Description

Setting the page to be 0 (or a non-integer) in sfPropelPager switches off pagination which could lead to DOS attacks by manually typing URLs that bring back entire record sets. 

Index: lib/addon/sfPager/sfPropelPager.class.php
===================================================================
--- lib/addon/sfPager/sfPropelPager.class.php   (revision 1229)
+++ lib/addon/sfPager/sfPropelPager.class.php   (working copy)
@@ -303,7 +303,9 @@

   public function setPage($page)
   {
-    $this->page = ($page < 0) ? 1 : $page;
+    $page = intval($page);
+
+    $this->page = ($page <= 0) ? 1 : $page;
   }

   public function getMaxPerPage()

Change History

04/19/06 15:05:24 changed by fabien

fixed in r1230.

04/19/06 15:05:28 changed by fabien

  • status changed from new to closed.
  • resolution set to fixed.