From 601ace178c196747142bc7c2bbbdad6f89d578f9 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 19 Apr 2024 17:36:38 +0200 Subject: [PATCH] SEC: A user with export permission can export module data without permission on module by jumping to the export step 2 with URL IDOR attack. --- htdocs/exports/export.php | 45 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/htdocs/exports/export.php b/htdocs/exports/export.php index dac7cee794c39..ebe87636b3a1b 100644 --- a/htdocs/exports/export.php +++ b/htdocs/exports/export.php @@ -269,6 +269,11 @@ } if ($action == 'builddoc') { + // Check permission + if (empty($objexport->array_export_perms[0])) { + accessforbidden(); + } + $separator = GETPOST('delimiter', 'alpha'); $max_execution_time_for_importexport = (!getDolGlobalString('EXPORT_MAX_EXECUTION_TIME') ? 300 : $conf->global->EXPORT_MAX_EXECUTION_TIME); // 5mn if not defined $max_time = @ini_get("max_execution_time"); @@ -290,6 +295,11 @@ // Delete file if ($step == 5 && $action == 'confirm_deletefile' && $confirm == 'yes') { + // Check permission + if (empty($objexport->array_export_perms[0])) { + accessforbidden(); + } + $file = $upload_dir."/".GETPOST('file'); $ret = dol_delete_file($file); @@ -303,6 +313,11 @@ } if ($action == 'deleteprof') { + // Check permission + if (empty($objexport->array_export_perms[0])) { + accessforbidden(); + } + if (GETPOSTINT("id")) { $objexport->fetch(GETPOSTINT('id')); $result = $objexport->delete($user); @@ -311,6 +326,11 @@ // TODO The export for filter is not yet implemented (old code created conflicts with step 2). We must use same way of working and same combo list of predefined export than step 2. if ($action == 'add_export_model') { + // Check permission + if (empty($objexport->array_export_perms[0])) { + accessforbidden(); + } + if ($export_name) { asort($array_selected); @@ -386,6 +406,11 @@ // Get form with filters if ($step == 4 && $action == 'submitFormField') { + // Check permission + if (empty($objexport->array_export_perms[0])) { + accessforbidden(); + } + // on boucle sur les champs selectionne pour recuperer la valeur if (is_array($objexport->array_export_TypeFields[0])) { $_SESSION["export_filtered_fields"] = array(); @@ -469,6 +494,11 @@ } if ($step == 2 && $datatoexport) { + // Check permission + if (empty($objexport->array_export_perms[0])) { + accessforbidden(); + } + llxHeader('', $langs->trans("NewExport"), 'EN:Module_Exports_En|FR:Module_Exports|ES:Módulo_Exportaciones'); $h = 0; @@ -646,6 +676,11 @@ exit; } + // Check permission + if (empty($objexport->array_export_perms[0])) { + accessforbidden(); + } + llxHeader('', $langs->trans("NewExport"), 'EN:Module_Exports_En|FR:Module_Exports|ES:Módulo_Exportaciones'); $h = 0; @@ -810,6 +845,11 @@ exit; } + // Check permission + if (empty($objexport->array_export_perms[0])) { + accessforbidden(); + } + asort($array_selected); llxHeader('', $langs->trans("NewExport"), 'EN:Module_Exports_En|FR:Module_Exports|ES:Módulo_Exportaciones'); @@ -1079,6 +1119,11 @@ exit; } + // Check permission + if (empty($objexport->array_export_perms[0])) { + accessforbidden(); + } + asort($array_selected); llxHeader('', $langs->trans("NewExport"), 'EN:Module_Exports_En|FR:Module_Exports|ES:Módulo_Exportaciones');