Bug #13493
closed
Several advanced DHCP6 client options do not inform the user when rejecting invalid input
Added by Flole Systems over 1 year ago.
Updated over 1 year ago.
Plus Target Version:
23.01
Description
When entering "F" for example ad id-assoc pd ID in the interfaces Tab and saving it magically disappears without any error. Either an error should be shown or only numeric values should be accepted for that textbox.
- Priority changed from Normal to Very Low
- Status changed from New to Confirmed
- Plus Target Version changed from 22.11 to 23.01
- Assignee set to Jim Pingle
Looks like several fields get tested to ensure they are numeric ints before being stored, but don't have corresponding checks in places where they can generate input errors.
These are not all together in the code, this is just the fields I found collected together:
// Under a block of code that runs when $_POST['type6'] == "dhcp6" :
if (is_numericint($_POST['adv_dhcp6_id_assoc_statement_address_id'])) {
$wancfg['adv_dhcp6_id_assoc_statement_address_id'] = $_POST['adv_dhcp6_id_assoc_statement_address_id'];
}
if (is_numericint($_POST['adv_dhcp6_id_assoc_statement_prefix_id'])) {
$wancfg['adv_dhcp6_id_assoc_statement_prefix_id'] = $_POST['adv_dhcp6_id_assoc_statement_prefix_id'];
}
if (is_numericint($_POST['adv_dhcp6_prefix_interface_statement_sla_id'])) {
$wancfg['adv_dhcp6_prefix_interface_statement_sla_id'] = $_POST['adv_dhcp6_prefix_interface_statement_sla_id'];
}
if (is_numericint($_POST['adv_dhcp6_prefix_interface_statement_sla_len'])) {
$wancfg['adv_dhcp6_prefix_interface_statement_sla_len'] = $_POST['adv_dhcp6_prefix_interface_statement_sla_len'];
}
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
Wouldn't it be possible to limit the possible characters in the web interface aswell? Using the HTML5 attribute type="number" it should prevent any non-numbers to be entered. Or should it be put into a separate issue as this can most likely be added at multiple other places aswell?
Client-side validation in JS could probably be done to help guide users toward valid input, but that should be a separate issue if there isn't one already. Whether or not it works on that specific type of form field is the question. Ultimately we need the server-side validation in place first (this issue) because we can't trust client validation on its own, as clients themselves can be malicious.
- Subject changed from "id-assoc pd ID" allows non-numbers to be entered to Several advanced DHCP6 client options do not inform the user when rejecting invalid input
Updating subject for release notes.
- Status changed from Feedback to Resolved
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by