Bad evaluation of repeater template when importing fields #2060
Comments
|
@perrarina I would suggest reposting this issue at the processwire-issues repository. If you take a look at #2051, you'll find instructions for posting issues, and though those instructions refer to 3.x, the processwire-legacy repository (which now hosts 2.x versions) also points to the processwire-issues repository: processwire/processwire-legacy#1 :) |
|
Additional note: I have to disagree with classifying this as a "security breach". It does sound like a bug related to exporting/importing repeater fields (note: not sure if that's even properly supported, particularly in pre 2.8/3.0 versions) and as a worst case scenario it can cause serious problems as mentioned above, but it most definitely isn't a security issue per se. |
|
Thank's @teppokoivula i'm moving this issue to the correct respository. |
Hi, this is a port from Processwire forum to a problem we had in a big PW installation.
Here is the link to the forum post.
I consider this a security breach because for us it means a server crash: no inodes left on filesystem.
Processwire version: 2.6.23 rc2
Server: Linux, Ngnix, Maria DB, PHP-Fpm, EXT4 Filesystem
Problem: When you import a repeater field, PW don't validate the template of the parent_id field, and assign it to repeater page.
Reproduction steps:
1.- Export a repeater field.
2.- When importing, edit the parent-id to match with the ID of a page which template contains that repeater.
3.- Pw enter's in a loop of repeater pages creation.
Possible solution: when importing a repeater field check that the template assigned to the repeater doesn't contains the repeater itself.
The text was updated successfully, but these errors were encountered: