View Issue Details

Jump to NotesJump to History
This bug affects 1 person(s).
 252
IDProjectCategoryView StatusDate SubmittedLast Update
20261Bug reportsSecuritypublic2025-09-10 12:352025-09-18 10:39
Reportertibor.pacalat Assigned Totibor.pacalat  
PrioritynoneSeverityminor 
Status acknowledgedResolutionopen 
Product Version6.6.x 
Summary20261: Create 400 http error code exception when invalid and potentially harmful parameter values are sent
Description

This is a follow up to the ticket https://bugs.limesurvey.org/view.php?id=2023

Create 400 http error code exception when invalid and potentially harmful parameter values are sent.
This will then be visible in the normal webserver log.

Steps To Reproduce

Steps to reproduce

(Replace this text with detailed step-by-step instructions on how to reproduce the issue)

Expected result

(Write here what you expected to happen)

Actual result

(Write here what happened instead)

TagsNo tags attached.
Bug heat252
Complete LimeSurvey version number (& build)6.15.10+250901
I will donate to the project if issue is resolvedNo
Browser
Database type & version.
Server OS (if known)
Webserver software & version (if known)
PHP Version.

Users monitoring this issue

There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2025-09-10 14:48

developer   ~83396

Last edited: 2025-09-10 14:49

It's not a global issue : it must be done for each parameter, and move to controller.

It's a way to fix when when update.
DenisChenu

DenisChenu

2025-09-18 10:38

developer   ~83437

Last edited: 2025-09-18 10:39

Telle me how i can create a PR for fixing such situatuation : https://github.com/LimeSurvey/LimeSurvey/blob/master/application/models/QuestionBaseDataSet.php#L41

An App::getSurveyId ?

App::getId($string); where string can be survey, question, questiongroup ?

My idea

Use a getParam (and setParam in https://github.com/LimeSurvey/LimeSurvey/blob/master/application/core/LSYii_Application.php)

  1. in __conctruct https://github.com/LimeSurvey/LimeSurvey/blob/1db969d592e05a1c48e3e610946e193e5bfd5ded/application/core/LSYii_Application.php#L74
    • Set sid, gid, qid and maybe some other
    • Allow : integer + null + '' and mlaybve some specific (new ?)
    • Send 400 if not
    • Control if gid is inside current sid and qid inside sif and gid (like we do in 2.6)
  2. Add a App()->getParam(['sid','gid','qid']);
    • return current poaram or null

I can not start without discussion. I really dislike to work for nothing.

Issue History

Date Modified Username Field Change
2025-09-10 12:35 tibor.pacalat New Issue
2025-09-10 12:35 tibor.pacalat Assigned To => DenisChenu
2025-09-10 12:35 tibor.pacalat Status new => assigned
2025-09-10 14:48 DenisChenu Note Added: 83396
2025-09-10 14:48 DenisChenu Bug heat 250 => 252
2025-09-10 14:49 DenisChenu Note Edited: 83396
2025-09-18 10:38 DenisChenu Assigned To DenisChenu => tibor.pacalat
2025-09-18 10:38 DenisChenu Status assigned => acknowledged
2025-09-18 10:38 DenisChenu Note Added: 83437
2025-09-18 10:39 DenisChenu Note Edited: 83437