Permalink
Browse files

Fixed #019238: Vulnerability issue

  • Loading branch information...
1 parent caad98e commit e3581bb065a31d29bdc41bdba9e81abe26d8f352 @andrerom andrerom committed Mar 26, 2012
Showing with 10 additions and 5 deletions.
  1. +10 −5 kernel/content/ezcontentoperationcollection.php
@@ -1239,24 +1239,29 @@ static public function changeSortOrder( $nodeID, $sortingField, $sortingOrder =
/**
* Updates the priority of a node
*
- * @param int $nodeID
+ * @param int $parentNodeID
* @param array $priorityArray
* @param array $priorityArray
*
* @return array An array with operation status, always true
*/
- static public function updatePriority( $nodeID, $priorityArray = array(), $priorityIDArray = array() )
+ static public function updatePriority( $parentNodeID, $priorityArray = array(), $priorityIDArray = array() )
{
- $curNode = eZContentObjectTreeNode::fetch( $nodeID );
- if ( is_object( $curNode ) )
+ $curNode = eZContentObjectTreeNode::fetch( $parentNodeID );
+ if ( $curNode instanceof eZContentObjectTreeNode )
{
$db = eZDB::instance();
$db->begin();
for ( $i = 0, $l = count( $priorityArray ); $i < $l; $i++ )
{
$priority = (int) $priorityArray[$i];
$nodeID = (int) $priorityIDArray[$i];
- $db->query( "UPDATE ezcontentobject_tree SET priority=$priority WHERE node_id=$nodeID" );
+ $db->query( "UPDATE
+ ezcontentobject_tree
+ SET
+ priority={$priority}
+ WHERE
+ node_id={$nodeID} AND parent_node_id={$parentNodeID}" );
@patrickallaert

patrickallaert Apr 2, 2012

Contributor

It is questionable to add the parent_node_id to this query since the condition on node_id is already using the PK. That wouldn't restrict more unless the $parentNodeID is wrong.
Is this specifically meant as an additional security measure to avoid modifying children if the provided $parentNodeID would be wrong?

@patrickallaert

patrickallaert Apr 2, 2012

Contributor

With a second look on this, it makes sense.
This is to prevent modifying nodes priority without providing the good parent_node_id, fair enough :)

}
$curNode->updateAndStoreModified();
$db->commit();

0 comments on commit e3581bb

Please sign in to comment.