MAGETWO-51123: No proper input validation in security section

Joan He · Joan He · commit 1dc15e141852 · 2016-05-06T14:37:39.000-05:00
diff --git a/app/code/Magento/Security/etc/adminhtml/system.xml b/app/code/Magento/Security/etc/adminhtml/system.xml
@@ -21,15 +21,15 @@
                 <field id="max_number_password_reset_requests" translate="label comment" type="text" sortOrder="7" showInDefault="1" showInWebsite="1" showInStore="1">
                     <label>Max Number of Password Reset Requests</label>
                     <comment>Limit the number of password reset request per hour. Use 0 to disable.</comment>
-                    <validate>required-entry validate-zero-or-greater</validate>
+                    <validate>required-entry validate-zero-or-greater validate-digits</validate>
                     <depends>
                         <field id="password_reset_protection_type" separator="," negative="1">0</field>
                     </depends>
                 </field>
                 <field id="min_time_between_password_reset_requests" translate="label comment" type="text" sortOrder="8" showInDefault="1" showInWebsite="1" showInStore="1">
                     <label>Min Time Between Password Reset Requests</label>
                     <comment>Delay in minutes between password reset requests. Use 0 to disable.</comment>
-                    <validate>required-entry validate-zero-or-greater</validate>
+                    <validate>required-entry validate-zero-or-greater validate-digits</validate>
                     <depends>
                         <field id="password_reset_protection_type" separator="," negative="1">0</field>
                     </depends>
@@ -45,15 +45,15 @@
                 <field id="max_number_password_reset_requests" translate="label comment" type="text" sortOrder="6" showInDefault="1" showInWebsite="1" showInStore="1">
                     <label>Max Number of Password Reset Requests</label>
                     <comment>Limit the number of password reset request per hour. Use 0 to disable.</comment>
-                    <validate>required-entry validate-zero-or-greater</validate>
+                    <validate>required-entry validate-zero-or-greater validate-digits</validate>
                     <depends>
                         <field id="password_reset_protection_type" separator="," negative="1">0</field>
                     </depends>
                 </field>
                 <field id="min_time_between_password_reset_requests" translate="label comment" type="text" sortOrder="7" showInDefault="1" showInWebsite="1" showInStore="1">
                     <label>Min Time Between Password Reset Requests</label>
                     <comment>Delay in minutes between password reset requests. Use 0 to disable.</comment>
-                    <validate>required-entry validate-zero-or-greater</validate>
+                    <validate>required-entry validate-zero-or-greater validate-digits</validate>
                     <depends>
                         <field id="password_reset_protection_type" separator="," negative="1">0</field>
                     </depends>
