fix virtual feed process list related input and feed access, missing …

…ownership validation, thanks to Carlos Alonso Gabizón @cagabi for spotting
emoncms · Nov 15, 2017 · 124166d · 124166d
1 parent ddd85cb
commit 124166d
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 3 deletions.
diff --git a/Modules/feed/feed_controller.php b/Modules/feed/feed_controller.php
@@ -17,12 +17,18 @@
 
 function feed_controller()
 {
-    global $mysqli, $redis, $session, $route, $feed_settings;
+    global $mysqli, $redis, $session, $route, $feed_settings,$user;
     $result = false;
 
     require_once "Modules/feed/feed_model.php";
     $feed = new Feed($mysqli,$redis,$feed_settings);
 
+    require_once "Modules/input/input_model.php";
+    $input = new Input($mysqli,$redis,$feed);
+
+    require_once "Modules/process/process_model.php";
+    $process = new Process($mysqli,$input,$feed,$user->get_timezone($session['userid']));
+
     if ($route->format == 'html')
     {
         if ($route->action == "list" && $session['write']) $result = view("Modules/feed/Views/feedlist_view.php",array());
@@ -140,7 +146,7 @@ function feed_controller()
                     } else if ($route->action == "process") {
                         if ($f['engine']!=Engine::VIRTUALFEED) { $result = array('success'=>false, 'message'=>'Feed is not Virtual'); }
                         else if ($route->subaction == "get") $result = $feed->get_processlist($feedid);
-                        else if ($route->subaction == "set") $result = $feed->set_processlist($feedid, post('processlist'));
+                        else if ($route->subaction == "set") $result = $feed->set_processlist($session['userid'], $feedid, post('processlist'),$process->get_process_list());
                         else if ($route->subaction == "reset") $result = $feed->reset_processlist($feedid);
 
                     // Fast bulk uploader

diff --git a/Modules/feed/feed_model.php b/Modules/feed/feed_model.php
@@ -891,8 +891,36 @@ public function get_processlist($id)
     }
 
     // USES: redis feed
-    public function set_processlist($id, $processlist)
+    public function set_processlist($userid, $id, $processlist, $process_list)
     {
+        $userid = (int) $userid;
+
+        // Validate processlist
+        $pairs = explode(",",$processlist);
+
+        foreach ($pairs as $pair)
+        {
+            $inputprocess = explode(":", $pair);
+            if (count($inputprocess)==2) {
+                $processid = (int) $inputprocess[0];
+                $arg = (int) $inputprocess[1];
+
+                // Check that feed exists and user has ownership
+                if (isset($process_list[$processid]) && $process_list[$processid][1]==ProcessArg::FEEDID) {
+                    if (!$this->access($userid,$arg)) {
+                        return array('success'=>false, 'message'=>_("Invalid feed"));
+                    }
+                }
+
+                // Check that input exists and user has ownership
+                if (isset($process_list[$processid]) && $process_list[$processid][1]==ProcessArg::INPUTID) {
+                    $inputid = (int) $arg;
+                    $result = $this->mysqli->query("SELECT id FROM input WHERE `userid` = '$userid' AND `id` = '$arg'");
+                    if ($result->num_rows != 1) return array('success'=>false, 'message'=>_("Invalid input"));
+                }
+            }
+        }
+
         $this->mysqli->query("UPDATE feeds SET processList = '$processlist' WHERE id='$id'");
         if ($this->mysqli->affected_rows>0){
             // CHECK REDIS