AS1024
/
Kanboard-Prod
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix Parameter based Indirect Object Referencing leading to private file exposure

This commit is contained in:
Frédéric Guillot 2023-05-24 20:36:34 -07:00 committed by Frédéric Guillot
parent cda45ddb30
commit 437b141fa2
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
app/Controller/BaseController.php
View File

@ -89,10 +89,10 @@ abstract class BaseController extends Base
* @access protected
* @return array
* @throws PageNotFoundException
* @throws AccessForbiddenException
*/
protected function getFile()
{
$project_id = $this->request->getIntegerParam('project_id');
$task_id = $this->request->getIntegerParam('task_id');
$file_id = $this->request->getIntegerParam('file_id');
$model = 'projectFileModel';
@ -108,7 +108,11 @@ abstract class BaseController extends Base
}
if (isset($file['task_id']) && $file['task_id'] != $task_id) {
throw new AccessForbiddenException();
throw new PageNotFoundException();
}
if (isset($file['project_id']) && $file['project_id'] != $project_id) {
throw new PageNotFoundException();
}
$file['model'] = $model;