CMS MADE SIMPLE FORGE

CMS Made Simple Core

 

[#12683] Admin log entries are not checked for max length of database fields

avatar
Created By: Ruud van der Velden (ruudvdvelden)
Date Submitted: Wed Jan 17 17:03:15 -0500 2024

Assigned To: Fernando Morgado (JoMorg)
Version: 2.2.18
CMSMS Version: 2.2.18
Severity: Minor
Resolution: Fixed
State: Closed
Summary:
Admin log entries are not checked for max length of database fields
Detailed Description:
For the record: this is about 2.2.19 too, but it doesn't show up in the
dropdown.

cms_adminlog table column item_name has type varchar(50). However, function
audit() in lib\page.functions.php doesn't check nor truncates the value.

Insert will fail on database servers which have a strict mode enabled.

Sample use case: 
Configure database to have a strict mode enabled
https://dev.mysql.com/doc/refman/5.7/en/sql-mode.html#sql-mode-strict

edit a content page, give it a long title, save the page. Check the admin log
and notice it didn't audit the edit for this page. Also future edits of pages
with long titles won't be audited.

Now edit a content page with a short title, check the admin log and notice the
edit has been audited.

Possibly other columns/fields should be validated too.


History

Comments
avatar
Date: 2024-01-21 08:56
Posted By: Jean-Claude Etiemble (jce76350)

The same problem seems to occur with News titles in action.editarticle.php in
2.2.19
Edit Article :
example 1 title = news_test_for long_title_on_V-2219-Rev 13073  	=> admin log
displays: News: news_test_for long_title_on_V-2219-Rev 13073 | Article edited
example 2 title = news_test_for long_title_on_V 2219 Rev 13073+	=> admin log
displays nothing

+ Also in action.addarticle.php 
example 1 admin log displaysNews: news_test_for long_title_on_V-2219-Rev 13073 
Article added
example 2 admin log displays nothing
      
avatar
Date: 2024-03-30 09:18
Posted By: Fernando Morgado (JoMorg)

Fixed in svn, thanks
      
avatar
Date: 2024-05-06 10:45
Posted By: Fernando Morgado (JoMorg)

CMSMS 2.2.20 has been released, thx!
      
Updates

Updated: 2024-05-06 10:45
state: Open => Closed

Updated: 2024-03-30 09:18
resolution_id: 5 => 7
assigned_to_id: 100 => 12532

Updated: 2024-01-17 17:06
description: cms_adminlog table column item_name has type varchar(50). However, function audit() in lib\page.functions.php doesn't check nor truncates the value. Insert will fail on database servers which have a strict mode enabled. Sample use case: Configure => For the record: this is about 2.2.19 too, but it doesn't show up in the dropdown. cms_adminlog table column item_name has type varchar(50). However, function audit() in lib\page.functions.php doesn't check nor truncates the value. Insert will fail
resolution_id: => 5