01-07-2015 04:23 PM
|
|
Premium Member
|
|
Item Shop Validation
Items not in shop can be hacked into the shop and bought.
This probably effects at least the entire v1.3.x line if not even earlier.
By simply right-clicking and inspecting the quantity field element on the shop page, a user can change the item name field client side and buy items that don't belong to that shop - or any shop, for that matter - so long as they know it's name. Therefore, validation is necessary to confirm that the item does belong in the shop.
In classes/class_itemshop.php, down in public function purchase(), you'll want to fix this.
After $mysidia = Registry::get("mysidia"); you'll want to wrap the rest of the contents in:
PHP Code:
if ($item->shop != $this->shopname) Throw new NoPermissionException('Did you really think this item could be bought at this shop?'); else {
And close the else right before return $status;.
|
|
Issue Details
|
Category Unknown
Status Unconfirmed
Priority 4
Affected Version Mys v1.3.4
Fixed Version Mys v1.3.5
Users able to reproduce bug
1
Users unable to reproduce bug
0
Assigned Users
(none)
Tags
(none)
|
|
12-01-2020 12:22 PM
|
Issue Changed by Hall of Famer
|
- Issue marked as addressed
- Addressed version changed from Unknown to Mys v1.3.5
|
All times are GMT -5. The time now is 07:14 PM.
Currently Active Users: 873 (0 members and 873 guests)
Threads: 4,080, Posts: 32,024, Members: 2,016
Welcome to our newest members,
jolob.