View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0001610||OXID eShop (all versions)||3.1. Design, GUI, UX||public||2010-01-19 15:55||2010-09-23 14:43|
|Product Version||4.2.0 revision 23610|
|Target Version||Fixed in Version||4.4.3 revision 30016|
|Summary||0001610: URL params with "sid" in name are interpreted as session ID and replaced with "sid=x" automatically|
|Description||When inserted such link in the cms:|
...in the received email it looked like this:
It can be that the issue occurs, because param "bonusid" is interpreted as "sid" by system and here regexp replaced this with "sid=x".
Please fix this issue, that params with "sid" in the name would not be interpreted as session IDs.
|Tags||No tags attached.|
|When bonusid is read out as the session id that could be a huge security hole in the software as you can pass any session id url variable. Could this be checked too?|
|checked, bonusid (or anywhateveritisid ) is never interpreted as session id (sid), the error is just in sid value replacement part|
|added needed regexp checks|