Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Comment 'Name' and 'Email can be manipulated even if CommentsRequireLogin is true #323

Open
LeviWB opened this issue May 7, 2021 · 0 comments
Open

Comment 'Name' and 'Email can be manipulated even if CommentsRequireLogin is true #323

LeviWB opened this issue May 7, 2021 · 0 comments
Labels
affects/v4 complexity/low impact/low type/bug

Comments

@LeviWB
Copy link

LeviWB commented May 7, 2021

If the getCommentsRequireLogin() function for a record returns true, then the email and name fields on the comment form become hidden fields with the value being set to the name and email of the logged in member.

This makes sense as we would want the name and email of the commenter to come straight from the member object, but if a comment is submitted outside the form or the hidden value changed to something else then the comment can appear to be coming from a different member.

We have had this issue raised during a pentest. The issue is mitigated by the fact that the member object/ID is still logged against the comment itself so it could be audited but it would be nice to either have a config option to prevent the email/name being set if getCommentsRequireLogin() is true, or possibly have this become the default behavior.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
affects/v4 complexity/low impact/low type/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@maxime-rainville @LeviWB