Bad evaluation of repeater template when importing fields

[perrarina]

Hi, this is a port from Processwire forum to a problem we had in a big PW installation.
Here is the link to the forum post.
I consider this a security breach because for us it means a server crash: no inodes left on filesystem.

Processwire version: 2.6.23 rc2

Server: Linux, Ngnix, Maria DB, PHP-Fpm, EXT4 Filesystem

Problem: When you import a repeater field, PW don't validate the template of the parent_id field, and assign it to repeater page.

Reproduction steps:

1.- Export a repeater field.

2.- When importing, edit the parent-id to match with the ID of a page which template contains that repeater.

3.- Pw enter's in a loop of repeater pages creation.

Possible solution: when importing a repeater field check that the template assigned to the repeater doesn't contains the repeater itself.

[teppokoivula]

@perrarina I would suggest reposting this issue at the processwire-issues repository.

If you take a look at #2051, you'll find instructions for posting issues, and though those instructions refer to 3.x, the processwire-legacy repository (which now hosts 2.x versions) also points to the processwire-issues repository: processwire/processwire-legacy#1 :)

[teppokoivula]

Additional note: I have to disagree with classifying this as a "security breach". It does sound like a bug related to exporting/importing repeater fields (note: not sure if that's even properly supported, particularly in pre 2.8/3.0 versions) and as a worst case scenario it can cause serious problems as mentioned above, but it most definitely isn't a security issue per se.

[perrarina]

Thank's @teppokoivula i'm moving this issue to the correct respository.