fix security vulnerability to editing addresses, countries, and regio…

…ns; reported by pang0lin
exponentcms · Nov 3, 2016 · 9eeed1e · 9eeed1e
1 parent e83721a
commit 9eeed1e
Showing 1 changed file with 21 additions and 4 deletions.
diff --git a/framework/modules/addressbook/controllers/addressController.php b/framework/modules/addressbook/controllers/addressController.php
@@ -32,9 +32,16 @@ class addressController extends expController {
     );
     protected $manage_permissions = array(
 //        'import' => 'Import External Addresses',
-        'process' => 'Import External Addresses'
+        'process' => 'Import External Addresses',
+        'edit_country' => 'Edit Country',
+        'delete_country' => 'Delete Country',
+        'update_country' => 'Update Country',
+        'edit_region' => 'Edit Region',
+        'delete_region' => 'Delete Region',
+        'update_region' => 'Update Region',
     );
     public $requires_login = array(
+        'edit'=>'You must be logged in to perform this action',
         'myaddressbook'=>'You must be logged in to perform this action',
     );
 	public $remove_configs = array(
@@ -65,8 +72,18 @@ function showall() {
 
     public function edit()
     {
-        if((isset($this->params['id']))) $record = new address(intval($this->params['id']));
-        else $record = null;
+        global $user;
+
+        $id = !empty($this->params['id']) ? $this->params['id'] : null;
+
+        // check to see if we should be editing.  You either need to be an admin, or editing own account.
+        if ($user->isAdmin() || ($user->id == $id)) {
+            $record = new address($id);
+        } else {
+            flash('error', gt('You do not have the proper permissions to edit this address'));
+            expHistory::back();
+        }
+
         $config = ecomconfig::getConfig('address_allow_admins_all');
         assign_to_template(array(
             'record'=>$record,
@@ -83,7 +100,7 @@ public function myaddressbook() {
 		global $user;
 
 		// check if the user is logged in.
-		expQueue::flashIfNotLoggedIn('message',gt('You must be logged in to manage your address book.'));
+		expQueue::flashIfNotLoggedIn('message',gt('You must be logged in to manage your address book.'));  //fixme is this redundant to common routine?
         if (!$user->isAdmin() && $this->params['user_id'] != $user->id) {
             unset($this->params['user_id']);
         }