[M-21] Terminal-type enum not validated in BBS admin create/update

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 1 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: MEDIUM

Location: src/Controllers/AdminBbsListingController.php:55, 108

Bug: Arbitrary strings accepted for terminal_type.

Fix: Enum whitelist with fallback.

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:54pm

Resolved.

AdminBbsListingController::store and update now strict-validate terminal_type against the ENUM set (ansi/ascii/petscii/amiga/atascii) with ansi as the fallback. Matches the pattern already used by promoteToFeatured. Mariadb strict-mode truncation errors on bogus inputs are eliminated.

Locking this thread.

Related Discussions

[L-5] MaintenanceMiddleware bypass uses unvalidated $_SESSION['user_id']
Security Issues · 0 replies · 0 views
[L-4] AdminMiddleware re-queries user instead of using AuthMiddleware's validation
Security Issues · 0 replies · 0 views
[L-2] AdminConfigController::update accepts arbitrary timezone string
Security Issues · 0 replies · 0 views
[M-14] Upload credits paid before admin approval
Security Issues · 0 replies · 0 views
[M-12] AdminFileController::reject/deleteFile don't basename() stored_name
Security Issues · 0 replies · 1 views

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy