Skip to content

Commit

Permalink
EZP-28298: Legacy leaks object names by object link/embed
Browse files Browse the repository at this point in the history 
Fix object name/path leakage for object and node links and embeds
Fix object name leakage for embeds in eZ OE
Fix object name leakage for links/embeds in related objects list
  • Loading branch information
@glye
glye committed Feb 26, 2018
1 parent efcd2b6 commit f9ffaf5
Show file tree
Hide file tree
Showing 6 changed files with 21 additions and 7 deletions.
6 changes: 3 additions & 3 deletions design/admin/templates/content/edit_relations.tpl
View file
Expand Up @@ -40,7 +40,7 @@
</p>
{else}
<p>
{$RelatedImageObjects.item.name|wash} - {"You do not have permission to view this object"|i18n( 'design/admin/content/edit' )}
{"You do not have permission to view this object"|i18n( 'design/admin/content/edit' )}
</p>
{/if}
<input class="linkbox" type="text" value="&lt;embed href='ezobject://{$RelatedImageObjects.item.id}' /&gt;" readonly="readonly" title="{'Copy this code and paste it into an XML field to embed the object.'|i18n( 'design/admin/content/edit' )}" /><br />
Expand Down Expand Up @@ -105,7 +105,7 @@
</td>
{else}
<td class="checkbox">&nbsp;</td>
<td colspan="3">{$RelatedFileObjects.item.name|wash} - {"You do not have permission to view this object"|i18n( 'design/admin/content/edit' )}</td>
<td colspan="3">{"You do not have permission to view this object"|i18n( 'design/admin/content/edit' )}</td>
<td class="code">
<input class="linkbox" type="text" value="&lt;embed href='ezobject://{$RelatedFileObjects.item.id}' /&gt;" readonly="readonly" title="{'Copy this code and paste it into an XML field to embed the object.'|i18n( 'design/admin/content/edit' )}" /><br />
<input class="linkbox" type="text" value="&lt;link href='ezobject://{$RelatedFileObjects.item.id}'&gt;&lt;/link&gt;" readonly="readonly" title="{'Copy this code and paste it into an XML field to link the object.'|i18n( 'design/admin/content/edit' )}" />
Expand Down Expand Up @@ -167,7 +167,7 @@
</td>
{else}
<td class="checkbox">&nbsp;</td>
<td colspan="2">{$RelatedObjects.item.name|wash} - {"You do not have permission to view this object"|i18n( 'design/admin/content/edit' )}</td>
<td colspan="2">{"You do not have permission to view this object"|i18n( 'design/admin/content/edit' )}</td>
<td class="code">
<input class="linkbox" type="text" value="&lt;embed href='ezobject://{$RelatedObjects.item.id}' /&gt;" readonly="readonly" title="{'Copy this code and paste it into an XML field to embed the object.'|i18n( 'design/admin/content/edit' )}" />
<input class="linkbox" type="text" value="&lt;link href='ezobject://{$RelatedObjects.item.id}'&gt;&lt;/link&gt;" readonly="readonly" title="{'Copy this code and paste it into an XML field to link the object.'|i18n( 'design/admin/content/edit' )}" />
Expand Down
2 changes: 1 addition & 1 deletion design/standard/templates/content/datatype/pdf/ezxmltags/embed-inline_denied.tpl
View file
@@ -1,2 +1,2 @@
{* DO NOT EDIT THIS FILE! Use an override template instead. *}
{pdf(text, concat( $object.name|wash, " - You do not have permission to view this object"|i18n( 'design/admin/node/view/embed' ) )|wash(pdf) )}
{pdf(text, "You do not have permission to view this object"|i18n( 'design/admin/node/view/embed' )|wash(pdf) )}
2 changes: 1 addition & 1 deletion design/standard/templates/content/datatype/pdf/ezxmltags/embed_denied.tpl
View file
@@ -1,2 +1,2 @@
{* DO NOT EDIT THIS FILE! Use an override template instead. *}
{pdf(text, concat( $object.name|wash, " - You do not have permission to view this object"|i18n( 'design/admin/node/view/embed' ) )|wash(pdf) )}
{pdf(text, "You do not have permission to view this object"|i18n( 'design/admin/node/view/embed' )|wash(pdf) )}
2 changes: 1 addition & 1 deletion design/standard/templates/content/datatype/view/ezxmltags/embed-inline_denied.tpl
View file
@@ -1 +1 @@
{* DO NOT EDIT THIS FILE! Use an override template instead. *}{$object.name|wash} - {"You do not have permission to view this object"|i18n( 'design/admin/node/view/embed' )}.
{* DO NOT EDIT THIS FILE! Use an override template instead. *}{"You do not have permission to view this object"|i18n( 'design/admin/node/view/embed' )}.
2 changes: 1 addition & 1 deletion design/standard/templates/content/datatype/view/ezxmltags/embed_denied.tpl
View file
@@ -1,4 +1,4 @@
{* DO NOT EDIT THIS FILE! Use an override template instead. *}
<div class="object-{$object_parameters.align}{if ne($classification|trim,'')} {$classification|wash}{/if}"{if is_set($id)} id="{$id}"{/if}>
{$object.name|wash} - {"You do not have permission to view this object"|i18n( 'design/admin/node/view/embed' )}.
{"You do not have permission to view this object"|i18n( 'design/admin/node/view/embed' )}.
</div>
14 changes: 14 additions & 0 deletions kernel/classes/datatypes/ezxmltext/handlers/output/ezxhtmlxmloutput.php
View file
Expand Up @@ -203,6 +203,13 @@ function initHandlerLink( $element, &$attributes, &$siblingParams, &$parentParam

if ( $node != null )
{
if ( !$node->object()->canRead() )
{
eZDebug::writeWarning( "Current user does not have read access to the object of node #$nodeID",
'XML output handler: link' );
return $ret;
}

$view = $element->getAttribute( 'view' );
if ( $view )
$href = 'content/view/' . $view . '/' . $nodeID;
Expand All @@ -220,6 +227,13 @@ function initHandlerLink( $element, &$attributes, &$siblingParams, &$parentParam
if ( isset( $this->ObjectArray["$objectID"] ) )
{
$object = $this->ObjectArray["$objectID"];
if ( !$object->canRead() )
{
eZDebug::writeWarning( "Current user does not have read access to the object #$objectID",
'XML output handler: link' );
return $ret;
}

$node = $object->attribute( 'main_node' );
if ( $node )
{
Expand Down

0 comments on commit f9ffaf5

Please sign in to comment.