Skip to content

Commit 9eeed1e

Browse files
committed
fix security vulnerability to editing addresses, countries, and regions; reported by pang0lin
1 parent e83721a commit 9eeed1e

File tree

1 file changed

+21
-4
lines changed

1 file changed

+21
-4
lines changed

Diff for: framework/modules/addressbook/controllers/addressController.php

+21-4
Original file line numberDiff line numberDiff line change
@@ -32,9 +32,16 @@ class addressController extends expController {
3232
);
3333
protected $manage_permissions = array(
3434
// 'import' => 'Import External Addresses',
35-
'process' => 'Import External Addresses'
35+
'process' => 'Import External Addresses',
36+
'edit_country' => 'Edit Country',
37+
'delete_country' => 'Delete Country',
38+
'update_country' => 'Update Country',
39+
'edit_region' => 'Edit Region',
40+
'delete_region' => 'Delete Region',
41+
'update_region' => 'Update Region',
3642
);
3743
public $requires_login = array(
44+
'edit'=>'You must be logged in to perform this action',
3845
'myaddressbook'=>'You must be logged in to perform this action',
3946
);
4047
public $remove_configs = array(
@@ -65,8 +72,18 @@ function showall() {
6572

6673
public function edit()
6774
{
68-
if((isset($this->params['id']))) $record = new address(intval($this->params['id']));
69-
else $record = null;
75+
global $user;
76+
77+
$id = !empty($this->params['id']) ? $this->params['id'] : null;
78+
79+
// check to see if we should be editing. You either need to be an admin, or editing own account.
80+
if ($user->isAdmin() || ($user->id == $id)) {
81+
$record = new address($id);
82+
} else {
83+
flash('error', gt('You do not have the proper permissions to edit this address'));
84+
expHistory::back();
85+
}
86+
7087
$config = ecomconfig::getConfig('address_allow_admins_all');
7188
assign_to_template(array(
7289
'record'=>$record,
@@ -83,7 +100,7 @@ public function myaddressbook() {
83100
global $user;
84101

85102
// check if the user is logged in.
86-
expQueue::flashIfNotLoggedIn('message',gt('You must be logged in to manage your address book.'));
103+
expQueue::flashIfNotLoggedIn('message',gt('You must be logged in to manage your address book.')); //fixme is this redundant to common routine?
87104
if (!$user->isAdmin() && $this->params['user_id'] != $user->id) {
88105
unset($this->params['user_id']);
89106
}

0 commit comments

Comments
 (0)