Insufficient validation of form input
(1) By anonymous on 2021-09-13 12:56:01 [source]
On a POST request with content type multipart/form-data the names of the parameters are not properly sanitized. See lines 600 and 606. This makes it possible to set parameters such as FOSSIL_USER.
(2) By D. Richard Hipp (drh) on 2021-11-26 12:28:09 in reply to 1 [link] [source]
Thanks for catching and reporting this. Should now be fixed on trunk.