Probable logic/security bug in $validatesConfirmationOf in /wheels/model/validations.cfm

[Adam Cameron]

Hi. Just cross-posting this from the CFML Slack Channel

 Can someone pls sanity check what I think is a logic/security bug in $validatesConfirmationOf in /wheels/model/validations.cfm? The function is thus:

 

```` 

public void function $validatesConfirmationOf() {

local.virtualConfirmProperty = arguments.property & "Confirmation";

if (

StructKeyExists(this, local.virtualConfirmProperty) && this[arguments.property] != this[local.virtualConfirmProperty]

) {

addError(property = local.virtualConfirmProperty, message = $validationErrorMessage(argumentCollection = arguments));

}

if (arguments.caseSensitive && (Compare(this[arguments.property], this[local.virtualConfirmProperty]) != 0)) {

addError(property = local.virtualConfirmProperty, message = $validationErrorMessage(argumentCollection = arguments));

}

}

````

That first condition circumvents the validation if the confirmation property isn't there at all. That should be a fail straight away, eg:

```

public void function $validatesConfirmationOf() {

local.virtualConfirmProperty = arguments.property & "Confirmation";

    if (!StructKeyExists(this, local.virtualConfirmProperty)) {

        return addError(property = local.virtualConfirmProperty, message = "you MUST specify the confirmation property if yer asking me to validate it!"));

    }

    // rest of it

}

```

Same issue exists in 1.4.x, which is where it's biting me.

Cheers for the eyes.

-- 

Adam

[Tom King]

Unless there's something I've forgotten, pretty sure that shouldn't happen - have created an issue:

https://github.com/cfwheels/cfwheels/issues/1070

[Adam Cameron]

NB: in the mean time discussed this with Tom King on Slack, and he's raised a ticket. Cheers!

[Adam Cameron]

Snap.