Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix: [security] xss fix missing part of solution
- the previous fix to the xss in the homepage setter was lacking the controller changes due to a partial commit (#bf4610c947c7dc372c4078f363d2dff6ae0703a8)

  - as originally discovered by Mislav Božičević <mislav.bozicevic@nn.cz>
  - persistence of the vulnerability after the lacking fix reported by DIEGO JURADO PALLARES from Ciberinteligencia
  • Loading branch information
iglocska committed Jul 14, 2020
1 parent ded8ed5 commit b3550b4
Showing 1 changed file with 21 additions and 18 deletions.
39 changes: 21 additions & 18 deletions app/Controller/UserSettingsController.php
Expand Up @@ -28,7 +28,6 @@ class UserSettingsController extends AppController
public function beforeFilter()
{
parent::beforeFilter();
$this->Security->unlockedActions = array_merge($this->Security->unlockedActions, array('setHomePage'));
}

public function index()
Expand Down Expand Up @@ -325,23 +324,27 @@ public function delete($id = false)

public function setHomePage()
{
if (!$this->request->is('post')) {
throw new MethodNotAllowedException(__('This endpoint only aaccepts POST requests.'));
}
if (empty($this->request->data['path'])) {
$this->request->data = array('path' => $this->request->data);
}
if (empty($this->request->data['path'])) {
throw new InvalidArgumentException(__('No path POSTed.'));
if ($this->request->is('post')) {
if (isset($this->request->data['UserSetting'])) {
$this->request->data = $this->request->data['UserSetting'];
}
if (!isset($this->request->data['path'])) {
$this->request->data = array('path' => $this->request->data);
}
if (empty($this->request->data['path'])) {
throw new InvalidArgumentException(__('No path POSTed.'));
}
$setting = array(
'UserSetting' => array(
'user_id' => $this->Auth->user('id'),
'setting' => 'homepage',
'value' => json_encode(array('path' => $this->request->data['path']))
)
);
$result = $this->UserSetting->setSetting($this->Auth->user(), $setting);
return $this->RestResponse->saveSuccessResponse('UserSettings', 'setHomePage', false, $this->response->type(), 'Homepage set to ' . $this->request->data['path']);
} else {
$this->layout = false;
}
$setting = array(
'UserSetting' => array(
'user_id' => $this->Auth->user('id'),
'setting' => 'homepage',
'value' => json_encode(array('path' => $this->request->data['path']))
)
);
$result = $this->UserSetting->setSetting($this->Auth->user(), $setting);
return $this->RestResponse->saveSuccessResponse('UserSettings', 'setHomePage', false, $this->response->type(), 'Homepage set to ' . $this->request->data['path']);
}
}

0 comments on commit b3550b4

Please sign in to comment.