forked from GNUsocial/gnu-social
[COMPONENT][Attachment][Controller] Security fix: We were not ensuring that attachment was related to note
This commit is contained in:
parent
47f03d4c9f
commit
5c7b079df5
@ -35,6 +35,7 @@ use App\Util\Exception\NoSuchFileException;
|
|||||||
use App\Util\Exception\NotFoundException;
|
use App\Util\Exception\NotFoundException;
|
||||||
use App\Util\Exception\ServerException;
|
use App\Util\Exception\ServerException;
|
||||||
use Component\Attachment\Entity\AttachmentThumbnail;
|
use Component\Attachment\Entity\AttachmentThumbnail;
|
||||||
|
use Component\Attachment\Entity\AttachmentToNote;
|
||||||
use Symfony\Component\HttpFoundation\HeaderUtils;
|
use Symfony\Component\HttpFoundation\HeaderUtils;
|
||||||
use Symfony\Component\HttpFoundation\Request;
|
use Symfony\Component\HttpFoundation\Request;
|
||||||
use Symfony\Component\HttpFoundation\Response;
|
use Symfony\Component\HttpFoundation\Response;
|
||||||
@ -50,7 +51,12 @@ class Attachment extends Controller
|
|||||||
$attachment = DB::findOneBy('attachment', ['id' => $attachment_id]);
|
$attachment = DB::findOneBy('attachment', ['id' => $attachment_id]);
|
||||||
$note = \is_int($note) ? Note::getById($note) : $note;
|
$note = \is_int($note) ? Note::getById($note) : $note;
|
||||||
|
|
||||||
// Before anything, ensure proper scope
|
// Before anything, two very important things!
|
||||||
|
// first: ensure this attachment is associated with this note
|
||||||
|
if (DB::count(AttachmentToNote::class, ['attachment_id' => $attachment->getId(), 'note_id' => $note->getId()]) <= 0) {
|
||||||
|
throw new ClientException(_m('No such attachment.'), 404);
|
||||||
|
}
|
||||||
|
// second: ensure proper scope
|
||||||
if (!$note->isVisibleTo(Common::actor())) {
|
if (!$note->isVisibleTo(Common::actor())) {
|
||||||
throw new ClientException(_m('You don\'t have permissions to view this attachment.'), 401);
|
throw new ClientException(_m('You don\'t have permissions to view this attachment.'), 401);
|
||||||
}
|
}
|
||||||
@ -145,12 +151,18 @@ class Attachment extends Controller
|
|||||||
*/
|
*/
|
||||||
public function attachmentThumbnailWithNote(Request $request, int $note_id, int $attachment_id, string $size = 'small'): Response
|
public function attachmentThumbnailWithNote(Request $request, int $note_id, int $attachment_id, string $size = 'small'): Response
|
||||||
{
|
{
|
||||||
// Before anything, ensure proper scope
|
|
||||||
if (!Note::getById($note_id)->isVisibleTo(Common::actor())) {
|
|
||||||
throw new ClientException(_m('You don\'t have permissions to view this thumbnail.'), 401);
|
|
||||||
}
|
|
||||||
|
|
||||||
$attachment = DB::findOneBy('attachment', ['id' => $attachment_id]);
|
$attachment = DB::findOneBy('attachment', ['id' => $attachment_id]);
|
||||||
|
$note = Note::getById($note_id);
|
||||||
|
|
||||||
|
// Before anything, two very important things!
|
||||||
|
// first: ensure this attachment is associated with this note
|
||||||
|
if (DB::count(AttachmentToNote::class, ['attachment_id' => $attachment->getId(), 'note_id' => $note->getId()]) <= 0) {
|
||||||
|
throw new ClientException(_m('No such attachment.'), 404);
|
||||||
|
}
|
||||||
|
// second: ensure proper scope
|
||||||
|
if (!$note->isVisibleTo(Common::actor())) {
|
||||||
|
throw new ClientException(_m('You don\'t have permissions to view this attachment.'), 401);
|
||||||
|
}
|
||||||
|
|
||||||
$crop = Common::config('thumbnail', 'smart_crop');
|
$crop = Common::config('thumbnail', 'smart_crop');
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user