Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-13617

Bot session continuation with invalid f= query parameter causes SQL error

    Details

    • Type: Bug
    • Status: Unverified Fix
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.13-PL1, 3.1.3
    • Fix Version/s: 3.0.14-RC1, 3.1.4-RC1
    • Component/s: Sessions
    • Labels:
      None

      Description

      session_begin() and session_create() call session_update(), or in 3.0 simply run an SQL UPDATE query. This query is wrapped in return_on_error statements in session_begin() to avoid issues with a 3.0.2 update that modified the schema of the phpbb_sessions table. The session_create() call does not use return_on_error, it is only used to update bot sessions.

      The session_forum_id column is updated with the f query paramter cast to integer. However this may exceed the allowed values if either a negative parameter (f=-1) or an integer that is too big (f=2147483647) is specified. In this case MySQL returns "Out of range value for column 'session_forum_id' at row 1 " because we enable strict mode in the MySQL DBAL.

      • (3.1+ only) We should look into whether we can avoid using return_on_error for the UPDATE query to become aware of actual SQL errors.
      • (3.1+ only) We should move return_on_error treatment into the update function itself so it is dealt with in the same way in all places
      • We should limit the values for the f paramter to allowed values for the table column

        Attachments

          Activity

            People

            • Assignee:
              naderman Nils Adermann
              Reporter:
              naderman Nils Adermann
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: