Filter db information searches to limit results to databases owned by…

… current user
AlternC · Sep 28, 2023 · 6a3af13 · 6a3af13
1 parent 20db4fc
commit 6a3af13
Showing 1 changed file with 15 additions and 2 deletions.
diff --git a/bureau/class/m_mysql.php b/bureau/class/m_mysql.php
@@ -592,9 +592,22 @@ function get_userslist($all = null) {
 
 
     function get_defaultsparam($dbn) {
-        global $db, $msg, $cuid;
+        global $db, $mem, $msg, $cuid;
         $msg->debug("mysql", "getdefaults");
 
+        $login=$mem->user["login"];
+        # The first condition allows us to access our "default" database, where the
+        # name matches exactly our login name. The second condition allows us to
+        # access the other databases suffixed with "_.*"
+        # The condition is split into two here to avoid the following situation:
+        #   * Given two accounts "example" and "exampleb", with defaults (un-suffixed)
+        # databases, the user of account "example" could read the parameter information
+        # for "exampleb".
+        if (($dbn != $login) && !preg_match("#^$login\_#", $dbn)) {
+                $msg->raise("ERROR", "mysql",_("Database not found")." (5)");
+                return false;
+        }
+
         $dbu = $dbn;
         $r = array();
         $dbn = str_replace('_', '\_', $dbn);
@@ -624,7 +637,7 @@ function get_defaultsparam($dbn) {
                 }
             }
 
-            if (!$db->query("SELECT name,password from dbusers where name= ? ;", array($dbu))) {
+            if (!$db->query("SELECT name,password from dbusers where name= ? and uid= ? ;", array($dbu, $cuid))) {
                 $msg->raise("ERROR", "mysql",_("Database not found")." (3)");
                 return false;
             }