Fix Parameter based Indirect Object Referencing leading to private fi…

…le exposure
kanboard · Jun 3, 2023 · 437b141 · 437b141
1 parent cda45dd
commit 437b141
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/app/Controller/BaseController.php b/app/Controller/BaseController.php
@@ -89,10 +89,10 @@ protected function getTask()
      * @access protected
      * @return array
      * @throws PageNotFoundException
-     * @throws AccessForbiddenException
      */
     protected function getFile()
     {
+        $project_id = $this->request->getIntegerParam('project_id');
         $task_id = $this->request->getIntegerParam('task_id');
         $file_id = $this->request->getIntegerParam('file_id');
         $model = 'projectFileModel';
@@ -108,7 +108,11 @@ protected function getFile()
         }
 
         if (isset($file['task_id']) && $file['task_id'] != $task_id) {
-            throw new AccessForbiddenException();
+            throw new PageNotFoundException();
+        }
+
+        if (isset($file['project_id']) && $file['project_id'] != $project_id) {
+            throw new PageNotFoundException();
         }
 
         $file['model'] = $model;