Prevent users from voting for invalid Slowvote options

epriestley · epriestley · commit d38e768ed877 · 2018-11-06T09:21:18.000-08:00
Summary: Depends on D19773. See <https://hackerone.com/reports/434116>. You can currently vote for invalid options by submitting, e.g., `vote[]=12345`. By doing this, you can see the responses, which is sort of theoretically a security problem? This is definitely a bug, regardless. Instead, only allow users to vote for options which are actually part of the poll. Test Plan: - Tried to vote for invalid options by editing the form to `vote[]=12345` (got error). - Tried to vote for invalid options by editing the radio buttons on a plurality poll into checkboxes, checking multiple boxes, and submitting (got error). - Voted in approval and plurality polls the right way, from the main web UI and from the embed (`{V...}`) UI. Reviewers: amckinley Reviewed By: amckinley Differential Revision: https://secure.phabricator.com/D19774
diff --git a/src/applications/slowvote/controller/PhabricatorSlowvoteVoteController.php b/src/applications/slowvote/controller/PhabricatorSlowvoteVoteController.php
@@ -7,6 +7,10 @@ public function handleRequest(AphrontRequest $request) {
     $viewer = $request->getViewer();
     $id = $request->getURIData('id');
 
+    if (!$request->isFormPost()) {
+      return id(new Aphront404Response());
+    }
+
     $poll = id(new PhabricatorSlowvoteQuery())
       ->setViewer($viewer)
       ->withIDs(array($id))
@@ -16,31 +20,36 @@ public function handleRequest(AphrontRequest $request) {
     if (!$poll) {
       return new Aphront404Response();
     }
+
     if ($poll->getIsClosed()) {
       return new Aphront400Response();
     }
 
     $options = $poll->getOptions();
-    $viewer_choices = $poll->getViewerChoices($viewer);
-
-    $old_votes = mpull($viewer_choices, null, 'getOptionID');
+    $options = mpull($options, null, 'getID');
 
-    if (!$request->isFormPost()) {
-      return id(new Aphront404Response());
-    }
+    $old_votes = $poll->getViewerChoices($viewer);
+    $old_votes = mpull($old_votes, null, 'getOptionID');
 
     $votes = $request->getArr('vote');
     $votes = array_fuse($votes);
 
-    $this->updateVotes($viewer, $poll, $old_votes, $votes);
+    $method = $poll->getMethod();
+    $is_plurality = ($method == PhabricatorSlowvotePoll::METHOD_PLURALITY);
 
-    return id(new AphrontRedirectResponse())->setURI('/V'.$poll->getID());
-  }
+    if ($is_plurality && count($votes) > 1) {
+      throw new Exception(
+        pht('In this poll, you may only vote for one option.'));
+    }
 
-  private function updateVotes($viewer, $poll, $old_votes, $votes) {
-    if (!empty($votes) && count($votes) > 1 &&
-        $poll->getMethod() == PhabricatorSlowvotePoll::METHOD_PLURALITY) {
-      return id(new Aphront400Response());
+    foreach ($votes as $vote) {
+      if (!isset($options[$vote])) {
+        throw new Exception(
+          pht(
+            'Option ("%s") is not a valid poll option. You may only '.
+            'vote for valid options.',
+            $vote));
+      }
     }
 
     foreach ($old_votes as $old_vote) {
@@ -60,6 +69,9 @@ private function updateVotes($viewer, $poll, $old_votes, $votes) {
         ->setOptionID($vote)
         ->save();
     }
+
+    return id(new AphrontRedirectResponse())
+      ->setURI($poll->getURI());
   }
 
 }
