Skip to content

Commit

Permalink
SEC: A user with export permission can export module data without
Browse files Browse the repository at this point in the history 
permission on module by jumping to the export step 2 with URL IDOR
attack.
  • Loading branch information
@eldy
eldy committed Apr 19, 2024
1 parent 6222a75 commit 601ace1
Showing 1 changed file with 45 additions and 0 deletions.
45 changes: 45 additions & 0 deletions htdocs/exports/export.php
View file
Expand Up @@ -269,6 +269,11 @@
}

if ($action == 'builddoc') {
// Check permission
if (empty($objexport->array_export_perms[0])) {
accessforbidden();
}

$separator = GETPOST('delimiter', 'alpha');
$max_execution_time_for_importexport = (!getDolGlobalString('EXPORT_MAX_EXECUTION_TIME') ? 300 : $conf->global->EXPORT_MAX_EXECUTION_TIME); // 5mn if not defined
$max_time = @ini_get("max_execution_time");
Expand All @@ -290,6 +295,11 @@

// Delete file
if ($step == 5 && $action == 'confirm_deletefile' && $confirm == 'yes') {
// Check permission
if (empty($objexport->array_export_perms[0])) {
accessforbidden();
}

$file = $upload_dir."/".GETPOST('file');

$ret = dol_delete_file($file);
Expand All @@ -303,6 +313,11 @@
}

if ($action == 'deleteprof') {
// Check permission
if (empty($objexport->array_export_perms[0])) {
accessforbidden();
}

if (GETPOSTINT("id")) {
$objexport->fetch(GETPOSTINT('id'));
$result = $objexport->delete($user);
Expand All @@ -311,6 +326,11 @@

// TODO The export for filter is not yet implemented (old code created conflicts with step 2). We must use same way of working and same combo list of predefined export than step 2.
if ($action == 'add_export_model') {
// Check permission
if (empty($objexport->array_export_perms[0])) {
accessforbidden();
}

if ($export_name) {
asort($array_selected);

Expand Down Expand Up @@ -386,6 +406,11 @@

// Get form with filters
if ($step == 4 && $action == 'submitFormField') {
// Check permission
if (empty($objexport->array_export_perms[0])) {
accessforbidden();
}

// on boucle sur les champs selectionne pour recuperer la valeur
if (is_array($objexport->array_export_TypeFields[0])) {
$_SESSION["export_filtered_fields"] = array();
Expand Down Expand Up @@ -469,6 +494,11 @@
}

if ($step == 2 && $datatoexport) {
// Check permission
if (empty($objexport->array_export_perms[0])) {
accessforbidden();
}

llxHeader('', $langs->trans("NewExport"), 'EN:Module_Exports_En|FR:Module_Exports|ES:Módulo_Exportaciones');

$h = 0;
Expand Down Expand Up @@ -646,6 +676,11 @@
exit;
}

// Check permission
if (empty($objexport->array_export_perms[0])) {
accessforbidden();
}

llxHeader('', $langs->trans("NewExport"), 'EN:Module_Exports_En|FR:Module_Exports|ES:Módulo_Exportaciones');

$h = 0;
Expand Down Expand Up @@ -810,6 +845,11 @@
exit;
}

// Check permission
if (empty($objexport->array_export_perms[0])) {
accessforbidden();
}

asort($array_selected);

llxHeader('', $langs->trans("NewExport"), 'EN:Module_Exports_En|FR:Module_Exports|ES:Módulo_Exportaciones');
Expand Down Expand Up @@ -1079,6 +1119,11 @@
exit;
}

// Check permission
if (empty($objexport->array_export_perms[0])) {
accessforbidden();
}

asort($array_selected);

llxHeader('', $langs->trans("NewExport"), 'EN:Module_Exports_En|FR:Module_Exports|ES:Módulo_Exportaciones');
Expand Down

0 comments on commit 601ace1

Please sign in to comment.