Fixed issue #15690: User with XSS enable can add/update scripts (#1364)

* Fixed issue #15690: User with XSS enable can add/update scripts
LimeSurvey · Jan 10, 2020 · 4774b18 · 4774b18
1 parent 88c5e79
commit 4774b18
Show file tree

Hide file tree

Showing 5 changed files with 75 additions and 6 deletions.
diff --git a/application/controllers/admin/questionedit.php b/application/controllers/admin/questionedit.php
@@ -454,8 +454,9 @@ public function getQuestionPermissions($iQuestionId = null)
             "update" => Permission::model()->hasSurveyPermission($oQuestion->sid, 'survey', 'update'),
             "editorpreset" => App()->session['htmleditormode'],
             "script" =>
-            SettingsUser::getUserSetting('showScriptEdit', App()->user->id)
-            && Permission::model()->hasSurveyPermission($oQuestion->sid, 'survey', 'update'),
+            Permission::model()->hasSurveyPermission($oQuestion->sid, 'survey', 'update')
+            && App()->user->isScriptUpdateAllowed()
+            && SettingsUser::getUserSetting('showScriptEdit', App()->user->id),
         ];
 
         $this->renderJSON($aPermissions);

diff --git a/application/core/LSWebUser.php b/application/core/LSWebUser.php
@@ -50,7 +50,7 @@ public function hasFlash($key)
     }
 
     /**
-     * Replace default system to return only one flash … 
+     * Replace default system to return only one flash …
      */
     public function getFlashes($delete = true)
     {
@@ -122,4 +122,29 @@ public function isInUserGroup($gid)
             return false;
         }
     }
+
+    /**
+     * Check if user have xss allowed
+     * @return boolean
+     */
+    public function isXssFiltered()
+    {
+        if (Yii::app()->getConfig('DBVersion') < 172) {
+            // Permission::model exist only after 172 DB version
+            return Yii::app()->getConfig('filterxsshtml');
+        }
+        if (Yii::app()->getConfig('filterxsshtml')) {
+            return !\Permission::model()->hasGlobalPermission('superadmin', 'read');
+        }
+        return false;
+    }
+
+    /**
+     * Check if user is allowed to edit script
+     * @return boolean
+     */
+    public function isScriptUpdateAllowed()
+    {
+        return !$this->isXssFiltered();
+    }
 }
diff --git a/application/core/LSYii_NoUpdateValidator.php b/application/core/LSYii_NoUpdateValidator.php
@@ -0,0 +1,39 @@
+<?php
+/*
+ * LimeSurvey
+ * Copyright (C) 2020 The LimeSurvey Project Team / Carsten Schmitz
+ * All rights reserved.
+ * License: GNU/GPL License v2 or later, see LICENSE.php
+ * LimeSurvey is free software. This version may have been modified pursuant
+ * to the GNU General Public License, and as distributed it includes or
+ * is derivative of works licensed under the GNU General Public License or
+ * other free or open source software licenses.
+ * See COPYRIGHT.php for copyright notices and details.
+ *
+ * Disable update of a specific column, used for Question->script in 4.0.0
+ * @author Denis Chenu
+ * @since 4.0.0-RC13
+ */
+
+class LSYii_NoUpdateValidator extends CValidator
+{
+
+    /**
+     * @inheritdoc
+     * Act like a filter : automatically set to previous value
+     * @link : https://bugs.limesurvey.org/view.php?id=15690
+     */
+    public function validateAttribute($object, $attribute)
+    {
+        if ($object->isNewRecord) {
+            $object->$attribute = '';
+            return;
+        }
+        if (empty($object->getPrimaryKey())) {
+            throw new \Exception('Unable to use LSYii_NoUpdateValidator without PrimaryKey');
+        }
+        $classOfObject = get_class($object);
+        $originalObject = $classOfObject::model()->findByPk($object->getPrimaryKey());
+        $object->$attribute = $originalObject->$attribute;
+    }
+}
diff --git a/application/core/LSYii_Validators.php b/application/core/LSYii_Validators.php
@@ -48,8 +48,8 @@ public function __construct()
             // Permission::model exist only after 172 DB version
             return $this->xssfilter = ($this->xssfilter && Yii::app()->getConfig('filterxsshtml'));
         }
-        $this->xssfilter = ($this->xssfilter && Yii::app()->getConfig('filterxsshtml') && !Permission::model()->hasGlobalPermission('superadmin', 'read'));
-        return null;
+        $this->xssfilter = ($this->xssfilter && Yii::app()->user->isXssFiltered());
+        return;
     }
 
     protected function validateAttribute($object, $attribute)

diff --git a/application/models/QuestionL10n.php b/application/models/QuestionL10n.php
@@ -73,13 +73,17 @@ public function defaultScope()
     /** @inheritdoc */
     public function rules()
     {
-        return array(
+        $rules = array(
             ['qid,language', 'required'],
             ['qid', 'numerical', 'integerOnly'=>true],
             array('question', 'LSYii_Validators'),
             array('help', 'LSYii_Validators'),
             array('script', 'LSYii_Validators'),
             array('language', 'length', 'min' => 2, 'max'=>20), // in array languages ?
         );
+        if (!Yii::app()->user->isScriptUpdateAllowed()) {
+            $rules[] = array('script', 'LSYii_NoUpdateValidator');
+        }
+        return $rules;
     }
 }