Pagination – DO NOT Trust User-Input

Hi team,

You need to urgently look into the pagination for product categories, and probably every other single variable URL.

I have noticed that a user can set the ?per_page= value to however many products they want.

If there is let’s say 600 products in a category, a user can input ?per_page=600, and open this URL in multiple tabs, causing excessive server resources to be consumed. URL example:

https://site.com/category/furniture-and-bedroom/?per_page=600&shop_view=list

Using the above link, will display 600 products. The ONLY allowable ?per_page= should be what is pre-defined by the shop owner.

In my instance, I’ve set it to 8, 16, 32 and 64 products per page.
Any other values outside of this should NOT be accepted.

https://site.com/wp-admin/admin.php?page=xtemos_options&tab=general_section

“Products per page variations” – ONLY these values, within those ranges should be accepted – IE 8 to 64 products.

I hope this makes sense.

Screenshots:

https://i.kutit.net/h/FHS0Vd.png

https://i.kutit.net/h/k1tKBI.png

https://i.kutit.net/h/jrapUA.png

https://i.kutit.net/h/IENgIs.png

Allowing the visitor to input any number they want is very bad, as user-input should NEVER be trusted.

Hi again team, I can see every other ticket has been replied to around this – I think this should be treated with a sense of urgency given the circumstances. Please let me know if this ticket has been acknowledged?

Hello,

https://gyazo.com/547d5aed88abc13c1ea8e85aa6af6cff This option stipulates the number of products per page.

https://gyazo.com/2db78721d135e80890802c8c7627583e This option will show the number of products that the visitor wants to see and the admin sets the allowable range or disable it.

You can set infinite scrolling or lazy loading and set 600 products per page. In this case the load would be less as products would be shown by scrolling the page.

If you have any questions please feel free to contact us.

Best Regards

[LiamTGCS]

You clearly have no idea what I’m reporting, do you?

The URL bar has the pagination products per page variable –

https://site.com/category/furniture-and-bedroom/?per_page=600&shop_view=list

“?per_page=600”

This variable in the header SHOULD NOT, EVER trust user-input.

If a product category has 1,000 products, then the user can set “?per_page=1000”. This should NOT be accepted.

The ONLY per_page variables, in the browser, that should be accepted, are the ones set within the admin panel.

If I set “Products per page variations” to: 8,16,32,64, the ONLY variables, in the URL, should be:
?per_page=8
?per_page=16
?per_page=32
?per_page=64

Any values OUTSIDE of these ranges, SHOULD NOT be accepted.

If I visit the link below:
https://site.com/category/furniture-and-bedroom/?per_page=600&shop_view=list

And open this same URL in more than 1 tab, I can easily cause the server/host CPU usage to max out.

DO NOT TRUST USER-INPUT.

Again, the ONLY URLs that should work should be:
https://site.com/category/furniture-and-bedroom/?per_page=8&shop_view=list
https://site.com/category/furniture-and-bedroom/?per_page=16&shop_view=list
https://site.com/category/furniture-and-bedroom/?per_page=32&shop_view=list
https://site.com/category/furniture-and-bedroom/?per_page=64&shop_view=list

NOT:
https://site.com/category/furniture-and-bedroom/?per_page=600&shop_view=list
https://site.com/category/furniture-and-bedroom/?per_page=1000&shop_view=list

This is a SECURITY issue and can cause the consumption of too many resources if the visitor sets the per_page to a ridiculous number, like 600-1000.

• This reply was modified 2 years, 7 months ago by LiamTGCS.

I suggest passing-on the above issue to your technicians/developers. This needs to be investigated and fixed with a sense of urgency.

Hello,

I have submitted the case to our development department and we will consider this in one of our future updates.

If you have any questions please feel free to contact us.

Best Regards

Thanks for getting back in touch,

I’d definitely appreciate an urgent update to this ticket as soon as this matter has been investigated – this is a security flaw and should definitely be treated with priority as it’ll effect most sites using this theme.

Hello,

Our developers would do their best to implement this asap.

If you have any questions please feel free to contact us.

Best Regards

Hi team,

I can see here that this issue still hasn’t been resolved.

Hello,

I have submitted the case to our development department, and this feature will be added to the next theme update.

If you have any questions please feel free to contact us.

Best Regards

Hi team,

I can see here that pagination is still broken – site visitor can still change the URL variable to whatever number they like, and it will load all products. Pagination should only show the pre-defined product values, as to prevent server over-loading.

Please urgently investigate the pagination issue to get this solved as this is considered a high-importance issue given the nature of the matter.

Hello,

We will add filters to change the max and min values to 6.5 version of the theme.

If you have any questions please feel free to contact us.

Best Regards

[Author]

Posts