Prevent information disclosure in the back end (see CVE-2018-20028)

contao · Dec 13, 2018 · 7eba568 · 7eba568
1 parent 3a0c440
commit 7eba568
Show file tree

Hide file tree

Showing 12 changed files with 74 additions and 23 deletions.
diff --git a/system/docs/CHANGELOG.md b/system/docs/CHANGELOG.md
@@ -1,6 +1,13 @@
 Contao Open Source CMS changelog
 ================================
 
+Version 3.5.37 (2018-12-XX)
+---------------------------
+
+### Fixed
+Prevent information disclosure in the back end (see CVE-2018-20028).
+
+
 Version 3.5.36 (2018-09-18)
 ---------------------------
 

diff --git a/system/modules/calendar/dca/tl_calendar_events.php b/system/modules/calendar/dca/tl_calendar_events.php
@@ -559,7 +559,12 @@ public function checkPermission()
 		switch (Input::get('act'))
 		{
 			case 'paste':
-				// Allow
+			case 'select':
+				if (!in_array($id, $root))
+				{
+					$this->log('Not enough permissions to access calendar ID "'.$id.'"', __METHOD__, TL_ERROR);
+					$this->redirect('contao/main.php?act=error');
+				}
 				break;
 
 			case 'create':
@@ -600,7 +605,6 @@ public function checkPermission()
 				}
 				break;
 
-			case 'select':
 			case 'editAll':
 			case 'deleteAll':
 			case 'overrideAll':

diff --git a/system/modules/calendar/dca/tl_content.php b/system/modules/calendar/dca/tl_content.php
@@ -62,11 +62,8 @@ public function checkPermission()
 		// Check the current action
 		switch (Input::get('act'))
 		{
-			case 'paste':
-				// Allow
-				break;
-
 			case '': // empty
+			case 'paste':
 			case 'create':
 			case 'select':
 				// Check access to the news item

diff --git a/system/modules/core/dca/tl_article.php b/system/modules/core/dca/tl_article.php
@@ -383,7 +383,16 @@ public function checkPermission()
 		$GLOBALS['TL_DCA']['tl_page']['fields']['cgroup']['default'] = intval(Config::get('defaultGroup') ?: $this->User->groups[0]);
 
 		// Restrict the page tree
-		$GLOBALS['TL_DCA']['tl_page']['list']['sorting']['root'] = $this->User->pagemounts;
+		if (empty($this->User->pagemounts) || !\is_array($this->User->pagemounts))
+		{
+			$root = array(0);
+		}
+		else
+		{
+			$root = $this->User->pagemounts;
+		}
+
+		$GLOBALS['TL_DCA']['tl_page']['list']['sorting']['root'] = $root;
 
 		// Set allowed page IDs (edit multiple)
 		if (is_array($session['CURRENT']['IDS']))

diff --git a/system/modules/core/dca/tl_content.php b/system/modules/core/dca/tl_content.php
@@ -886,11 +886,8 @@ public function checkPermission()
 		// Check the current action
 		switch (Input::get('act'))
 		{
-			case 'paste':
-				// Allow
-				break;
-
 			case '': // empty
+			case 'paste':
 			case 'create':
 			case 'select':
 				// Check access to the article

diff --git a/system/modules/core/dca/tl_form_field.php b/system/modules/core/dca/tl_form_field.php
@@ -466,11 +466,15 @@ public function checkPermission()
 		switch (Input::get('act'))
 		{
 			case 'paste':
-				// Allow
+			case 'select':
+				if (!in_array($id, $root))
+				{
+					$this->log('Not enough permissions to access form ID "'.$id.'"', __METHOD__, TL_ERROR);
+					$this->redirect('contao/main.php?act=error');
+				}
 				break;
 
 			case 'create':
-			case 'select':
 				if (!strlen(Input::get('id')) || !in_array(Input::get('id'), $root))
 				{
 					$this->log('Not enough permissions to access form ID "'.Input::get('id').'"', __METHOD__, TL_ERROR);

diff --git a/system/modules/core/dca/tl_page.php b/system/modules/core/dca/tl_page.php
@@ -667,7 +667,16 @@ public function checkPermission()
 		$GLOBALS['TL_DCA']['tl_page']['fields']['cgroup']['default'] = intval(Config::get('defaultGroup') ?: $this->User->groups[0]);
 
 		// Restrict the page tree
-		$GLOBALS['TL_DCA']['tl_page']['list']['sorting']['root'] = $this->User->pagemounts;
+		if (empty($this->User->pagemounts) || !\is_array($this->User->pagemounts))
+		{
+			$root = array(0);
+		}
+		else
+		{
+			$root = $this->User->pagemounts;
+		}
+
+		$GLOBALS['TL_DCA']['tl_page']['list']['sorting']['root'] = $root;
 
 		// Set allowed page IDs (edit multiple)
 		if (is_array($session['CURRENT']['IDS']))

diff --git a/system/modules/core/drivers/DC_Table.php b/system/modules/core/drivers/DC_Table.php
@@ -233,7 +233,14 @@ public function __construct($strTable, $arrModule=array())
 			// Get root records from global configuration file
 			elseif (is_array($GLOBALS['TL_DCA'][$table]['list']['sorting']['root']))
 			{
-				$this->root = $this->eliminateNestedPages($GLOBALS['TL_DCA'][$table]['list']['sorting']['root'], $table, $this->Database->fieldExists('sorting', $table));
+				if ($GLOBALS['TL_DCA'][$table]['list']['sorting']['root'] == array(0))
+				{
+					$this->root = array(0);
+				}
+				else
+				{
+					$this->root = $this->eliminateNestedPages($GLOBALS['TL_DCA'][$table]['list']['sorting']['root'], $table, $this->Database->fieldExists('sorting', $table));
+				}
 			}
 		}
 
@@ -5444,6 +5451,14 @@ protected function filterMenu($intFilterPanel)
 				}
 			}
 
+			$table = ($GLOBALS['TL_DCA'][$this->strTable]['list']['sorting']['mode'] == 6) ? $this->ptable : $this->strTable;
+
+			// Limit the options if there are root records
+			if (isset($GLOBALS['TL_DCA'][$table]['list']['sorting']['root']) && $GLOBALS['TL_DCA'][$table]['list']['sorting']['root'] !== false)
+			{
+				$arrProcedure[] = "id IN(" . implode(',', array_map('\intval', $GLOBALS['TL_DCA'][$table]['list']['sorting']['root'])) . ")";
+			}
+
 			$objFields = $this->Database->prepare("SELECT DISTINCT " . $what . " FROM " . $this->strTable . ((is_array($arrProcedure) && strlen($arrProcedure[0])) ? ' WHERE ' . implode(' AND ', $arrProcedure) : ''))
 										->execute($arrValues);
 

diff --git a/system/modules/news/dca/tl_content.php b/system/modules/news/dca/tl_content.php
@@ -62,11 +62,8 @@ public function checkPermission()
 		// Check the current action
 		switch (Input::get('act'))
 		{
-			case 'paste':
-				// Allow
-				break;
-
 			case '': // empty
+			case 'paste':
 			case 'create':
 			case 'select':
 				// Check access to the news item

diff --git a/system/modules/news/dca/tl_news.php b/system/modules/news/dca/tl_news.php
@@ -507,7 +507,12 @@ public function checkPermission()
 		switch (Input::get('act'))
 		{
 			case 'paste':
-				// Allow
+			case 'select':
+				if (!in_array($id, $root))
+				{
+					$this->log('Not enough permissions to access news archive ID "'.$id.'"', __METHOD__, TL_ERROR);
+					$this->redirect('contao/main.php?act=error');
+				}
 				break;
 
 			case 'create':
@@ -549,7 +554,6 @@ public function checkPermission()
 				}
 				break;
 
-			case 'select':
 			case 'editAll':
 			case 'deleteAll':
 			case 'overrideAll':

diff --git a/system/modules/newsletter/dca/tl_newsletter.php b/system/modules/newsletter/dca/tl_newsletter.php
@@ -310,7 +310,11 @@ public function checkPermission()
 		{
 			case 'paste':
 			case 'select':
-				// Allow
+				if (!in_array($id, $root))
+				{
+					$this->log('Not enough permissions to access newsletter channel ID "'.$id.'"', __METHOD__, TL_ERROR);
+					$this->redirect('contao/main.php?act=error');
+				}
 				break;
 
 			case 'create':

diff --git a/system/modules/newsletter/dca/tl_newsletter_recipients.php b/system/modules/newsletter/dca/tl_newsletter_recipients.php
@@ -246,7 +246,11 @@ public function checkPermission()
 		{
 			case 'paste':
 			case 'select':
-				// Allow
+				if (!in_array($id, $root))
+				{
+					$this->log('Not enough permissions to access newsletter channel ID "'.$id.'"', __METHOD__, TL_ERROR);
+					$this->redirect('contao/main.php?act=error');
+				}
 				break;
 
 			case 'create':