View Issue Details

Jump to NotesJump to History
This bug affects 1 person(s).
 256
IDProjectCategoryView StatusDate SubmittedLast Update
20261Bug reportsSecuritypublic2025-09-10 12:352025-10-07 16:07
Reportertibor.pacalat Assigned ToDenisChenu  
PrioritynoneSeverityminor 
Status assignedResolutionopen 
Product Version6.6.x 
Summary20261: Create 400 http error code exception when invalid and potentially harmful parameter values are sent
Description

This is a follow up to the ticket https://bugs.limesurvey.org/view.php?id=2023

Create 400 http error code exception when invalid and potentially harmful parameter values are sent.
This will then be visible in the normal webserver log.

Steps To Reproduce

Steps to reproduce

(Replace this text with detailed step-by-step instructions on how to reproduce the issue)

Expected result

(Write here what you expected to happen)

Actual result

(Write here what happened instead)

TagsNo tags attached.
Bug heat256
Complete LimeSurvey version number (& build)6.15.10+250901
I will donate to the project if issue is resolvedNo
Browser
Database type & version.
Server OS (if known)
Webserver software & version (if known)
PHP Version.

Users monitoring this issue

There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2025-09-10 14:48

developer   ~83396

Last edited: 2025-09-10 14:49

It's not a global issue : it must be done for each parameter, and move to controller.

It's a way to fix when when update.
DenisChenu

DenisChenu

2025-09-18 10:38

developer   ~83437

Last edited: 2025-09-18 10:39

Telle me how i can create a PR for fixing such situatuation : https://github.com/LimeSurvey/LimeSurvey/blob/master/application/models/QuestionBaseDataSet.php#L41

An App::getSurveyId ?

App::getId($string); where string can be survey, question, questiongroup ?

My idea

Use a getParam (and setParam in https://github.com/LimeSurvey/LimeSurvey/blob/master/application/core/LSYii_Application.php)

  1. in __conctruct https://github.com/LimeSurvey/LimeSurvey/blob/1db969d592e05a1c48e3e610946e193e5bfd5ded/application/core/LSYii_Application.php#L74
    • Set sid, gid, qid and maybe some other
    • Allow : integer + null + '' and mlaybve some specific (new ?)
    • Send 400 if not
    • Control if gid is inside current sid and qid inside sif and gid (like we do in 2.6)
  2. Add a App()->getParam(['sid','gid','qid']);
    • return current poaram or null

I can not start without discussion. I really dislike to work for nothing.
tibor.pacalat

tibor.pacalat

2025-10-07 15:35

administrator   ~83561

@c_schmitz could you please provide your opinion here?
DenisChenu

DenisChenu

2025-10-07 15:45

developer   ~83563

Start for survey ID here https://github.com/LimeSurvey/LimeSurvey/pull/4469
c_schmitz

c_schmitz

2025-10-07 15:56

administrator   ~83564

Looks fine to me.
DenisChenu

DenisChenu

2025-10-07 16:07

developer   ~83565

I add getGid and getQid after

And in my opinion : qid must use sid if exist (then we are sure it's related to the good survey), and maybe if sid is not set : set it.

Issue History

Date Modified Username Field Change
2025-09-10 12:35 tibor.pacalat New Issue
2025-09-10 12:35 tibor.pacalat Assigned To => DenisChenu
2025-09-10 12:35 tibor.pacalat Status new => assigned
2025-09-10 14:48 DenisChenu Note Added: 83396
2025-09-10 14:48 DenisChenu Bug heat 250 => 252
2025-09-10 14:49 DenisChenu Note Edited: 83396
2025-09-18 10:38 DenisChenu Assigned To DenisChenu => tibor.pacalat
2025-09-18 10:38 DenisChenu Status assigned => acknowledged
2025-09-18 10:38 DenisChenu Note Added: 83437
2025-09-18 10:39 DenisChenu Note Edited: 83437
2025-10-07 15:06 DenisChenu Assigned To tibor.pacalat => DenisChenu
2025-10-07 15:35 tibor.pacalat Note Added: 83561
2025-10-07 15:35 tibor.pacalat Bug heat 252 => 254
2025-10-07 15:45 DenisChenu Status acknowledged => assigned
2025-10-07 15:45 DenisChenu Note Added: 83563
2025-10-07 15:56 c_schmitz Note Added: 83564
2025-10-07 15:56 c_schmitz Bug heat 254 => 256
2025-10-07 16:07 DenisChenu Note Added: 83565