From 437b141fa2267df36976814e704517f30d2424bd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= <fred@kanboard.net>
Date: Wed, 24 May 2023 20:36:34 -0700
Subject: [PATCH] Fix Parameter based Indirect Object Referencing leading to
 private file exposure

---
 app/Controller/BaseController.php | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/app/Controller/BaseController.php b/app/Controller/BaseController.php
index ca4ca081a..5aab7e4c1 100644
--- a/app/Controller/BaseController.php
+++ b/app/Controller/BaseController.php
@@ -89,10 +89,10 @@ abstract class BaseController extends Base
      * @access protected
      * @return array
      * @throws PageNotFoundException
-     * @throws AccessForbiddenException
      */
     protected function getFile()
     {
+        $project_id = $this->request->getIntegerParam('project_id');
         $task_id = $this->request->getIntegerParam('task_id');
         $file_id = $this->request->getIntegerParam('file_id');
         $model = 'projectFileModel';
@@ -108,7 +108,11 @@ abstract class BaseController extends Base
         }
 
         if (isset($file['task_id']) && $file['task_id'] != $task_id) {
-            throw new AccessForbiddenException();
+            throw new PageNotFoundException();
+        }
+
+        if (isset($file['project_id']) && $file['project_id'] != $project_id) {
+            throw new PageNotFoundException();
         }
 
         $file['model'] = $model;