Closed GoogleCodeExporter closed 9 years ago
http://www.scenemusic.eu/demovibes/song/10783/votes/
Original comment by ara...@gmail.com
on 18 Oct 2009 at 3:06
User can inject arbitrary value of "0" (or in fact any value within the field
format)
into song vote info with specially crafted url, f/e see the above liked page -
uservote of LittleWhite
Original comment by ara...@gmail.com
on 20 Oct 2009 at 10:58
http://code.google.com/p/demovibes/source/browse/trunk/demovibes/webview/views.p
y#728
Problem is there, it checks for number between 0 and 5, not 1 and 5.
Original comment by TheTerra...@gmail.com
on 20 Oct 2009 at 1:50
"User can inject arbitrary value of "0" (or in fact any value within the field
format)
into song vote info with specially crafted url, f/e see the above liked page -
uservote of LittleWhite"
Hogwash. User can set or change his vote to 0, and thats it. He cant "inject
arbitrary value", and cant vote twice. He can't vote -1 or 6 either.
Original comment by TheTerra...@gmail.com
on 20 Oct 2009 at 1:53
User can legally vote 0, which in effect is the same as deleting an existing
vote,
only issue this would cause a problem is when vote counting against totals is
used as
the average will be off. Users who voted / Total votes, technically, he voted
(as 0)
which increases the count. I'll see about changing to delete the vote entirely
rather
than setting it to 0.
Original comment by FishGuy8765@gmail.com
on 20 Oct 2009 at 2:01
Changed boundaries from 0-5 to 1-5
Original comment by TheTerra...@gmail.com
on 25 Nov 2009 at 10:59
Original issue reported on code.google.com by
ara...@gmail.com
on 18 Oct 2009 at 3:05