AS1024
/
Kanboard-Prod
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix security issue: Unexpected access to any tasks from a shared public board

This commit is contained in:
Frederic Guillot 2016-03-04 22:06:55 -05:00
parent a7f3e3bec5
commit f9f5d7188b
2 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ChangeLog
View File

@ -5,6 +5,10 @@ Improvements:
* Added support for HTTP header "X-Forwarded-Proto: https"
Security issues:
* Access allowed to any tasks from the shared public board by changing the URL parameters
Version 1.0.26
--------------

8
app/Controller/Task.php
View File

@ -23,13 +23,17 @@ class Task extends Base
// Token verification
if (empty($project)) {
$this->forbidden(true);
return $this->forbidden(true);
}
$task = $this->taskFinder->getDetails($this->request->getIntegerParam('task_id'));
if (empty($task)) {
$this->notfound(true);
return $this->notfound(true);
}
if ($task['project_id'] != $project['id']) {
return $this->forbidden(true);
}
$this->response->html($this->helper->layout->app('task/public', array(