View Issue Details

IDProjectCategoryView StatusLast Update
0002601HTML & PERLBug Reportpublic2016-10-12 23:17
ReporterHinoe Assigned ToDerIdiot  
PrioritynormalSeverityminorReproducibilityhave not tried
Status resolvedResolutionfixed 
Fixed in Version2016-11 
Summary0002601: It is possible to (attempt to) delete a tagreltb entry via URL hack
DescriptionDeleting a tagreltb entry is a surefire way to wreck havoc in the related tag. I don't know whether recreating the entry without database magic is even possible.

It is possible, by hacking the URL, to issue a del creq on tagreltb entities. While that is highly unlikely, and the offending user would certainly be made an example of, it is not outside the realm of imagination that a half-asleep mod might end up granting such a creq by pressing the wrong button or something.

Please add a check that halts the action and throws an error if the user attempts to issue a del creq on that specific table.

Example of such a creq in action, and of its results: https://devint.anidb.net/c7913492
Steps To Reproducehttps://devint.anidb.net/perl-bin/animedb.pl?show=creq&creq.delete=1&tb=tagreltb&id=XYZ

Testing should obviously be done on devint only, owing to the destructive potential of this issue.
TagsNo tags attached.

Activities

CDB-Man

2016-09-16 07:11

manager   ~0003845

Also note in that devint creq in the creq header block, it says tag system but links the tag itself.

Should be a field called tag that links the tag itself (type in this case), then another field tag system that quotes the tag system (character in this case).

Hinoe

2016-09-16 09:32

reporter   ~0003846

Which is a completely different thing and you're just asking baka to yell at you. :P

I'll add a feature request for that.

DerIdiot

2016-09-29 15:43

administrator   ~0003867

i don't see the issue. it creates a creq. if you grant that that is the mod's fault

Hinoe

2016-09-29 18:25

reporter   ~0003868

Yes, and I'd like to not see it happen. But if you don't think the risk is enough to justify it, I can live with that.

Issue History

Date Modified Username Field Change
2016-09-16 05:33 Hinoe New Issue
2016-09-16 07:11 CDB-Man Note Added: 0003845
2016-09-16 09:32 Hinoe Note Added: 0003846
2016-09-29 15:43 DerIdiot Note Added: 0003867
2016-09-29 18:25 Hinoe Note Added: 0003868
2016-10-12 23:17 DerIdiot Assigned To => DerIdiot
2016-10-12 23:17 DerIdiot Status new => resolved
2016-10-12 23:17 DerIdiot Resolution open => fixed
2016-10-12 23:17 DerIdiot Fixed in Version => 2016-11