Entering Date in Invalid DateTime Format Causes Page Error That May Reveal Sensitive Application Information

[PhilipRidgers]

Version

v2

Severity

Critical

Suggested Priority

High

Observed Behaviour

When entering a value in the 'date from' or 'date to' boxes of the 'Gigs' page, if the value isn't in the correct DateTime format (YYYY-MM-DD) then a page error occurs. The user is sent to an 'InvalidDatetimeFormat' page which contains details about the error, including SQL information. This should be investigated as a matter of urgency, in case any of the data could be used maliciously to access, modify or delete Giga's data and/or functionality.

Expected Behaviour

The user remains on the Gigs page and sees a message asking them to enter a valid date in the correct format.

Reproduction Steps

1. On 'Gigs' page, enter 2 in the 'date from' field.
2. Click 'Go'.

[PaulNGilson]

Probably OK for this first client demo, but at the same time we'll need to fix this at some point.

I'm going to try a date picker instead, as that'll be both a nicer user experience, something I can style with the rest of the site while I'm at it, and means I can avoid having to roll my own date validator code.

[PaulNGilson]

Date picker added to v3

[PhilipRidgers]

Unfortunately, this issue still persists with the new date picker. (We haven't tested it and marked anything about format yet; we were just verifying bug fixes at this stage. Putting in an invalid date – as in the first image – still leads to an error page with your date validator code on display.

[PaulNGilson]

Agreed it's not fixed...

Jo & Lou think the behaviour is now better, as the date pickers mean it's not mandatory to enter manually. So this gets deprioritised and looks like it won't make the v4 boat, currently.