Skip to content

Commit

Permalink
[ss-2015-024] FIX: Don't expose serialised fields to admin
Browse files Browse the repository at this point in the history 
SavedJobData and SavedJobMessages contain php serialised data.
There's no point showing these to a CMS Admin as they're not
human readable. Worse, it might be insecure, as a malicious
CMS Admin might be able to craft a payload thats dangerous
to unserialise. So best just to not let the CMS Admin see or
edit them.
  • Loading branch information
Hamish Friedlander authored and Damian Mooyman committed Nov 22, 2015
1 parent 6e63fd3 commit 9132ebf
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions code/dataobjects/QueuedJobDescriptor.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -255,6 +255,9 @@ public function getCMSFields() {
new DropdownField('JobStatus', $this->fieldLabel('JobStatus'), array_combine($statuses, $statuses))
);

$fields->removeByName('SavedJobData');
$fields->removeByName('SavedJobMessages');

if (Permission::check('ADMIN')) {
return $fields;
} else {
Expand Down

0 comments on commit 9132ebf

Please sign in to comment.