Skip to content

Commit

Permalink
Fixed issue #15221: unable to send mail to participants - apache hand…
Browse files Browse the repository at this point in the history 
…ler error 403

Dev: security must check only user request
Dev: fix invalid sid param in quota
  • Loading branch information
@Shnoulle
Shnoulle committed Sep 4, 2019
1 parent 4d9e779 commit de7707d
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 5 deletions.
7 changes: 4 additions & 3 deletions application/core/Survey_Common_Action.php
View file
Expand Up @@ -121,15 +121,16 @@ private function _addPseudoParams($params)
'browselang' => 'sBrowseLang',
'tokenids' => 'aTokenIds',
'tokenid' => 'iTokenId',
'subaction' => 'sSubAction',
'subaction' => 'sSubAction', // /!\ Already filled by sa : can be different (usage of subaction in quota at 2019-09-04)
);

// Foreach pseudo, take the key, if it exists,
// Populate the values (taken as an array) as keys in params
// with that key's value in the params
// Chek is 2 params are equal for security issue.
foreach ($pseudos as $key => $pseudo) {
if (isset($params[$key])) {
// We care only for user parameters, not by code parameters (see issue #15221)
if (Yii::app()->getRequest()->getParam($key)) {
$params[$key] = Yii::app()->getRequest()->getParam($key);
$pseudo = (array) $pseudo;
foreach ($pseudo as $pseud) {
if (empty($params[$pseud])) {
Expand Down
4 changes: 2 additions & 2 deletions application/views/admin/quotas/newanswer_view.php
View file
Expand Up @@ -4,7 +4,7 @@
?>

<div class='side-body <?php echo getSideBodyClass(false); ?>'>
<div class="row">
<div class="row">
<div class="col-lg-8 content-right">
<h3>
<?php eT("Survey quota");?>: <?php eT("Add answer");?>
Expand Down Expand Up @@ -34,7 +34,7 @@
<input name="submit" type="submit" class="submit btn btn-default" value="<?php eT("Next");?>" />
</div>
</div>
<input type="hidden" name="sid" value="'.$iSurveyId.'" />
<input type="hidden" name="sid" value="<?php echo $iSurveyId;?>" />
<input type="hidden" name="action" value="quotas" />
<input type="hidden" name="subaction" value="new_answer_two" />
<input type="hidden" name="quota_id" value="<?php echo sanitize_int($oQuota->id);?>" />
Expand Down

2 comments on commit de7707d

@Shnoulle
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Strange : button is not there but no 403 error shown …

@Shnoulle
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Travis fixed here : e13cbeb

Don't find the parameter updated … by the request …

Please sign in to comment.