Topic title restrictions are bypassed when category is changed in combination with title edit

bug
1

Priority/Severity:

Medium

Platform

Windows 11

Google Chrome 114.0.5735.90 (Official Build) (64-bit)

Description:

Several restrictions on topic titles can be configured via the administrative settings. These include:

  • min topic title length
  • title min entropy
  • max emojis in title
  • allow duplicate topic titles

If the user changes the category when editing the topic title, the checks for compliance with these restrictions are bypassed.

Reproducible steps:

  1. Click the “New Topic” button.
  2. Add some text to the post field.
  3. Click the “Create Topic” button.
    :slightly_smiling_face: A “Title is required” error appears.
  4. Add a compliant title in the “Type title, or paste a link here” field.
  5. Click the “Create Topic” button.
    :slightly_smiling_face: The topic is created.
  6. Click the pencil icon to the right of the topic title.
    The topic edit UI opens.
  7. Change the title to aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
  8. Click the button in the topic edit UI.
    :slightly_smiling_face: A dialog appears:

    An error occurred: Title seems unclear, most of the words contain the same letters over and over?

  9. Click the the “OK” button in the dialog.
  10. Select another category from the category dropdown menu.
  11. Click the button in the topic edit UI.
    :slightly_smiling_face: A dialog appears:

    An error occurred: Title seems unclear, most of the words contain the same letters over and over?

  12. Click the the “OK” button in the dialog.
  13. Click the the X button in the dialog.
  14. Reload the page.
    :bug: Despite the indications to the contrary, the edit was successful. The topic now has a title in violation of the title min entropy setting.
  15. Click the pencil icon to the right of the topic title.
    The topic edit UI opens.
  16. Change the title to 🙃🙃🙃🙃🙃🙃🙃🙃 This title has many emoji
  17. Click the button in the topic edit UI.
    :slightly_smiling_face: A dialog appears:

    An error occurred: Title can’t have more than 1 emoji

  18. Click the the “OK” button in the dialog.
  19. Select another category from the category dropdown menu.
  20. Click the button in the topic edit UI.
    :bug: The edit is successful. The topic now has a title with multiple emoji, in violation of the max emojis in title setting.
  21. Click the pencil icon to the right of the topic title.
    The topic edit UI opens.
  22. Change the title to a title that is already used by another topic on the forum.
  23. Click the button in the topic edit UI.
    :slightly_smiling_face: A dialog appears:

    An error occurred: Title has already been used

  24. Click the the “OK” button in the dialog.
  25. Select another category from the category dropdown menu.
  26. Click the button in the topic edit UI.
    :bug: The edit is successful. The topic now has a duplicate title, in violation of the allow duplicate topic titles setting.
  27. Click the pencil icon to the right of the topic title.
    The topic edit UI opens.
  28. Delete the text from the topic title field.
  29. Click the button in the topic edit UI.
    :slightly_smiling_face: A dialog appears:

    Multiple errors occurred: 1) Title can’t be blank 2) Title is too short (minimum is 15 characters) 3) Title seems unclear, most of the words contain the same letters over and over?

  30. Click the the “OK” button in the dialog.
  31. Select another category from the category dropdown menu.
  32. Click the button in the topic edit UI.
    :bug: The edit is successful. The topic now has no title, in violation of the min topic title length setting:
    image
  33. Reload the page.
    :bug: The page fails to load:

    This page isn’t working

    try.discourse.org redirected you too many times.
    Try clearing your cookies.
    ERR_TOO_MANY_REDIRECTS

Additional context

I am able to reproduce the fault on try.discourse.org in “safe mode”.

5 Likes
2

I reproduced the “aaaaaaaaaaaaaaaaaaaaaaaa” section of the bug:

3

I reproduced it and it looks like it’s due to unqualified topic_slug

4

Feels borderline security to me… user is doing something they are not allowed to do.

Going to unlist this and prioritize internally, we should get it sorted in the next couple of weeks.

3 Likes
7

I apologize if I didn’t use the appropriate reporting workflow sam.

1 Like
8

No worries at all, this particular one is borderline. We have still not 100% determined if this is CVE worthy or not, I am just being extra cautious.

4 Likes
10

I have been able to reproduce all the steps outlined in this topic. It seems like the topic validator is working to add the correct errors, but somehow the update transaction is not ensuring it’s valid before saving.

The biggest concern from these issues is the blank/empty topic title (last step), mainly because the page will keep reloading (infinite loop that is triggered from here). Aside from that it’s mainly a usability issue, as topics cannot be clicked from /latest as the title link does not exist.

2 Likes
14

@per1234 Thank you for the report. You should have received the fix to this issue.

3 Likes
15

This topic was automatically closed after 2 days. New replies are no longer allowed.