Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix vulnerabiity: External users can set a public note
  • Loading branch information
eldy committed May 9, 2021
1 parent 0271645 commit 8cc1000
Showing 1 changed file with 13 additions and 11 deletions.
24 changes: 13 additions & 11 deletions htdocs/core/actions_setnotes.inc.php
Expand Up @@ -67,16 +67,18 @@
}
}
}
} elseif ($action == 'setnote_private' && !empty($permissionnote) && !GETPOST('cancel', 'alpha')) {
// Set public note
if (empty($action) || !is_object($object) || empty($id)) {
dol_print_error('', 'Include of actions_setnotes.inc.php was done but required variable was not set before');
}
if (empty($object->id)) {
$object->fetch($id); // Fetch may not be already done
}
$result = $object->update_note(dol_html_entity_decode(GETPOST('note_private', 'restricthtml'), ENT_QUOTES | ENT_HTML5), '_private');
if ($result < 0) {
setEventMessages($object->error, $object->errors, 'errors');
} elseif ($action == 'setnote_private' && !empty($permissionnote) && !GETPOST('cancel', 'alpha')) { // Set public note
if (empty($user->socid)) {
// Private notes (always hidden to external users)
if (empty($action) || !is_object($object) || empty($id)) {
dol_print_error('', 'Include of actions_setnotes.inc.php was done but required variable was not set before');
}
if (empty($object->id)) {
$object->fetch($id); // Fetch may not be already done
}
$result = $object->update_note(dol_html_entity_decode(GETPOST('note_private', 'restricthtml'), ENT_QUOTES | ENT_HTML5), '_private');
if ($result < 0) {
setEventMessages($object->error, $object->errors, 'errors');
}
}
}

0 comments on commit 8cc1000

Please sign in to comment.