Home › Forums › WoodMart support forum › Pagination – DO NOT Trust User-Input
Pagination – DO NOT Trust User-Input
- This topic has 11 replies, 2 voices, and was last updated 2 years, 7 months ago by Elise Noromit.
-
AuthorPosts
-
April 9, 2022 at 5:51 am #367149
LiamTGCSParticipantHi team,
You need to urgently look into the pagination for product categories, and probably every other single variable URL.
I have noticed that a user can set the ?per_page= value to however many products they want.
If there is let’s say 600 products in a category, a user can input ?per_page=600, and open this URL in multiple tabs, causing excessive server resources to be consumed. URL example:
https://site.com/category/furniture-and-bedroom/?per_page=600&shop_view=list
Using the above link, will display 600 products. The ONLY allowable ?per_page= should be what is pre-defined by the shop owner.
In my instance, I’ve set it to 8, 16, 32 and 64 products per page.
Any other values outside of this should NOT be accepted.https://site.com/wp-admin/admin.php?page=xtemos_options&tab=general_section
“Products per page variations” – ONLY these values, within those ranges should be accepted – IE 8 to 64 products.
I hope this makes sense.
Screenshots:
https://i.kutit.net/h/FHS0Vd.png
https://i.kutit.net/h/k1tKBI.png
https://i.kutit.net/h/jrapUA.png
https://i.kutit.net/h/IENgIs.png
Allowing the visitor to input any number they want is very bad, as user-input should NEVER be trusted.
April 10, 2022 at 2:36 am #367289
LiamTGCSParticipantHi again team, I can see every other ticket has been replied to around this – I think this should be treated with a sense of urgency given the circumstances. Please let me know if this ticket has been acknowledged?
April 10, 2022 at 3:01 am #367295
Elise NoromitMemberHello,
https://gyazo.com/547d5aed88abc13c1ea8e85aa6af6cff This option stipulates the number of products per page.
https://gyazo.com/2db78721d135e80890802c8c7627583e This option will show the number of products that the visitor wants to see and the admin sets the allowable range or disable it.
You can set infinite scrolling or lazy loading and set 600 products per page. In this case the load would be less as products would be shown by scrolling the page.
If you have any questions please feel free to contact us.
Best Regards
April 10, 2022 at 3:22 am #367296
LiamTGCSParticipantYou clearly have no idea what I’m reporting, do you?
The URL bar has the pagination products per page variable –
https://site.com/category/furniture-and-bedroom/?per_page=600&shop_view=list
“?per_page=600”
This variable in the header SHOULD NOT, EVER trust user-input.
If a product category has 1,000 products, then the user can set “?per_page=1000”. This should NOT be accepted.
The ONLY per_page variables, in the browser, that should be accepted, are the ones set within the admin panel.
If I set “Products per page variations” to: 8,16,32,64, the ONLY variables, in the URL, should be:
?per_page=8
?per_page=16
?per_page=32
?per_page=64Any values OUTSIDE of these ranges, SHOULD NOT be accepted.
If I visit the link below:
https://site.com/category/furniture-and-bedroom/?per_page=600&shop_view=listAnd open this same URL in more than 1 tab, I can easily cause the server/host CPU usage to max out.
DO NOT TRUST USER-INPUT.
Again, the ONLY URLs that should work should be:
https://site.com/category/furniture-and-bedroom/?per_page=8&shop_view=list
https://site.com/category/furniture-and-bedroom/?per_page=16&shop_view=list
https://site.com/category/furniture-and-bedroom/?per_page=32&shop_view=list
https://site.com/category/furniture-and-bedroom/?per_page=64&shop_view=listNOT:
https://site.com/category/furniture-and-bedroom/?per_page=600&shop_view=list
https://site.com/category/furniture-and-bedroom/?per_page=1000&shop_view=listThis is a SECURITY issue and can cause the consumption of too many resources if the visitor sets the per_page to a ridiculous number, like 600-1000.
- This reply was modified 2 years, 8 months ago by LiamTGCS.
April 10, 2022 at 8:52 am #367315
LiamTGCSParticipantI suggest passing-on the above issue to your technicians/developers. This needs to be investigated and fixed with a sense of urgency.
April 11, 2022 at 9:12 am #367538
Elise NoromitMemberHello,
I have submitted the case to our development department and we will consider this in one of our future updates.
If you have any questions please feel free to contact us.
Best Regards
April 11, 2022 at 11:40 am #367587
LiamTGCSParticipantThanks for getting back in touch,
I’d definitely appreciate an urgent update to this ticket as soon as this matter has been investigated – this is a security flaw and should definitely be treated with priority as it’ll effect most sites using this theme.
April 12, 2022 at 12:15 am #367739
Elise NoromitMemberHello,
Our developers would do their best to implement this asap.
If you have any questions please feel free to contact us.
Best Regards
April 16, 2022 at 4:36 am #368784
LiamTGCSParticipantHi team,
I can see here that this issue still hasn’t been resolved.
April 18, 2022 at 3:22 pm #369140
Elise NoromitMemberHello,
I have submitted the case to our development department, and this feature will be added to the next theme update.
If you have any questions please feel free to contact us.
Best Regards
May 2, 2022 at 4:14 am #372396
LiamTGCSParticipantHi team,
I can see here that pagination is still broken – site visitor can still change the URL variable to whatever number they like, and it will load all products. Pagination should only show the pre-defined product values, as to prevent server over-loading.
Please urgently investigate the pagination issue to get this solved as this is considered a high-importance issue given the nature of the matter.
May 3, 2022 at 3:44 am #372615
Elise NoromitMemberHello,
We will add filters to change the max and min values to 6.5 version of the theme.
If you have any questions please feel free to contact us.
Best Regards
-
AuthorPosts
- You must be logged in to create new topics. Login / Register