From 9132ebf73549fbedb4c226779931362957f2d410 Mon Sep 17 00:00:00 2001 From: Hamish Friedlander Date: Tue, 10 Nov 2015 10:45:26 +1300 Subject: [PATCH] [ss-2015-024] FIX: Don't expose serialised fields to admin SavedJobData and SavedJobMessages contain php serialised data. There's no point showing these to a CMS Admin as they're not human readable. Worse, it might be insecure, as a malicious CMS Admin might be able to craft a payload thats dangerous to unserialise. So best just to not let the CMS Admin see or edit them. --- code/dataobjects/QueuedJobDescriptor.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/code/dataobjects/QueuedJobDescriptor.php b/code/dataobjects/QueuedJobDescriptor.php index 2c763e59..455ad661 100644 --- a/code/dataobjects/QueuedJobDescriptor.php +++ b/code/dataobjects/QueuedJobDescriptor.php @@ -255,6 +255,9 @@ public function getCMSFields() { new DropdownField('JobStatus', $this->fieldLabel('JobStatus'), array_combine($statuses, $statuses)) ); + $fields->removeByName('SavedJobData'); + $fields->removeByName('SavedJobMessages'); + if (Permission::check('ADMIN')) { return $fields; } else {