Closed pv closed 11 years ago
Thanks for picking that up. I'm working on that section of the code at the moment to allow for library submissions. I will ensure that it can't cause malicious overwrites of previous submissions.
It definitely cannot create a new submission, but it might be able to overrides previous submissions.
If I read the code correctly, the code in
submissions/views.py:create_or_edit_submission_revision
trusts that the POST data contains a correctpk
entry. It seems to me that this allows an attacker to bypass authorization, and edit any submission even if they do not own it.