|
From: Christian B. <pos...@cb...> - 2008-12-14 15:33:20
|
Hello, Am Freitag, 12. Dezember 2008 schrieb Gin...@us...: > Revision: 499 > edit-domain.php: fix bug where editing a domain nukes the transport > field (we actually were not checking the config field properly to see > whether transport control was turned on or not; this fixes > https://sourceforge.net/tracker/index.php?func=detail&aid=2378038&gro >up_id=191583&atid=937964 > trunk/edit-domain.php (reduced to non-whitespace changes) > @@ -69,1 +69,4 @@ > - if (isset ($_POST['fTransport'])) $fTransport = escape_string > ($_POST['fTransport']); > + $fTransport = $CONF['transport_default']; > + if($CONF['transport'] != 'NO' && isset ($_POST['fTransport'])) { > + $fTransport = escape_string ($_POST['fTransport']); > + } IMHO this is buggy. Even if $CONF['transport'] is set to NO, there could be some domains with a transport different from $CONF['default_transport'] - for example, $CONF['transport'] could have been YES for some time. The correct solution is to use the old transport value in the database also as new value. Or to simply omit changing the transport field in the UPDATE query if $CONF['transport'] is NO. Besides that: transport is not a freetext field, but a dropdown with a list of defined values ($CONF['transport_options']). So we should also check the input against this list of allowed values instead of simply escape_string'ing it. Regards, Christian Boltz -- If you need to ask stupid questions, there may be two reasons: a) the documentation (in this case mostly the wiki) is incomplete b) you're stupid :-) [Dirk Stoecker inopensuse-buildservice] |
