14609: [SECURITY] Prevent SID of 0 during import - LimeSurvey bugs and feature requests

This bug affects 1 person(s).

ID	Project	Category	View Status	Date Submitted	Last Update

14609	Bug reports	Import/Export	public	2019-03-06 12:34	2019-04-02 16:41

Reporter	realitix	Assigned To	ollehar
Priority	none	Severity	partial_block
Status	closed	Resolution	fixed
Product Version	3.15.x
Fixed in Version	3.17.x

Summary	14609: [SECURITY] Prevent SID of 0 during import
Description	Hello, When you import a survey, if the sid is 0, it will crash all the application. Indeed, an attacker can manually set the sid to 0 in the .lss file. The import works but then the application will crash at several places and the survey is impossible to delete. Warning, if you try to reproduce this bug, you will need to delete the survey in database. I'm sending the pull request that fixes it.
Steps To Reproduce	Create a new survey by importing the joined .lss file Try to delete it
Tags	No tags attached.
Attached Files	limesurvey_survey_947165.lss (12,850 bytes)

Bug heat	2
Complete LimeSurvey version number (& build)	master 3.15.9
I will donate to the project if issue is resolved	No
Browser
Database type & version	0
Server OS (if known)
Webserver software & version (if known)
PHP Version	0

User List	There are no users monitoring this issue.

Date Modified	Username	Field	Change
2019-03-06 12:34	realitix	New Issue
2019-03-06 12:34	realitix	File Added: limesurvey_survey_947165.lss
2019-03-06 12:36	realitix	Note Added: 50791
2019-04-02 16:41	ollehar	Assigned To	=> ollehar
2019-04-02 16:41	ollehar	Status	new => closed
2019-04-02 16:41	ollehar	Resolution	open => fixed
2019-04-02 16:41	ollehar	Fixed in Version	=> 3.17.x

realitix 2019-03-06 12:36 reporter ~50791	Here the pull request: https://github.com/LimeSurvey/LimeSurvey/pull/1240