Fixed issue [security] #18866: Label sets can be replaced by any adm…

…in user (#3210) Fixed issue #18868: No CRSF control for delete action of label set
LimeSurvey · Jun 19, 2023 · 33372e4 · 33372e4
1 parent 01ed5e4
commit 33372e4
Showing 1 changed file with 21 additions and 7 deletions.
diff --git a/application/controllers/admin/labels.php b/application/controllers/admin/labels.php
@@ -340,30 +340,38 @@ public function process()
             Yii::app()->session['flashmessage'] = gT('Access denied!');
             $this->getController()->redirect(App()->createUrl("/admin"));
         }
-        $action = returnGlobal('action');
+        $action = App()->getRequest()->getParam('action');
         Yii::app()->loadHelper('admin/label');
-        $lid = (int) returnGlobal('lid');
-
+        $lid = (int) App()->getRequest()->getpost('lid');
         if ($action == "updateset" && Permission::model()->hasGlobalPermission('labelsets', 'update')) {
+            if (!$lid) {
+                throw new CHttpException(400);
+            }
             updateset($lid);
             Yii::app()->setFlashMessage(gT("Label set properties sucessfully updated."), 'success');
         }
         if ($action == "insertlabelset" && Permission::model()->hasGlobalPermission('labelsets', 'create')) {
-                    $lid = insertlabelset();
+            $lid = insertlabelset();
         }
         if (($action == "modlabelsetanswers" || ($action == "ajaxmodlabelsetanswers")) && Permission::model()->hasGlobalPermission('labelsets', 'update')) {
-                    modlabelsetanswers($lid);
+            if (!$lid) {
+                throw new CHttpException(400);
+            }
+            modlabelsetanswers($lid);
         }
         if ($action == "deletelabelset" && Permission::model()->hasGlobalPermission('labelsets', 'delete')) {
+            if (!$lid) {
+                throw new CHttpException(400);
+            }
             if (deletelabelset($lid)) {
                 Yii::app()->setFlashMessage(gT("Label set sucessfully deleted."), 'success');
                 $lid = 0;
             }
         }
         if ($lid) {
-                    $this->getController()->redirect(array("admin/labels/sa/view/lid/".$lid));
+            $this->getController()->redirect(array("admin/labels/sa/view/lid/".$lid));
         } else {
-                    $this->getController()->redirect(array("admin/labels/sa/view"));
+            $this->getController()->redirect(array("admin/labels/sa/view"));
         }
     }
 
@@ -438,13 +446,19 @@ public function ajaxSets()
         }
         $language = trim($language);
         if ($lid == 0) {
+            if (!Permission::model()->hasGlobalPermission('labelsets', 'create')) {
+                throw new CHttpException(403);
+            }
             $lset = new LabelSet;
             $lset->label_name = Yii::app()->getRequest()->getPost('laname');
             $lset->languages = $language;
             $lset->save();
 
             $lid = getLastInsertID($lset->tableName());
         } else {
+            if (!Permission::model()->hasGlobalPermission('labelsets', 'update')) {
+                throw new CHttpException(403);
+            }
             Label::model()->deleteAll('lid = :lid', array(':lid' => $lid));
         }
         $res = 'ok'; //optimistic