We use cookies to ensure you get the best experience on our website
Sākums Izpētīt Palīdzība
Reģistrēties Pierakstīties
0ct0pu5
/
g-node-gin
1
0
Atdalīts 0
Faili Problēmas 0 Izmaiņu pieprasījumi 0 Vikivietne
Pārlūkot izejas kodu

email: check the owner when set as primary (#5988)

* email: check the owner when set as primary

Fixes a security issue reported by muxishuihan.

* Update CHANGELOG
ᴜɴᴋɴᴡᴏɴ 5 gadi atpakaļ
vecāks
e12a86df95
revīzija
529694dc6d
4 mainītis faili ar 9 papildinājumiem un 4 dzēšanām
Dalītais skats Rādīt salīdzināšanas statistiku
  1. 1 0
      CHANGELOG.md
  2. 2 2
      Makefile
  3. 5 1
      internal/db/user_mail.go
  4. 1 1
      internal/route/user/setting.go

+ 1 - 0
CHANGELOG.md
Parādīt failu 

@@ -37,6 +37,7 @@ All notable changes to Gogs are documented in this file.
 
 
 - [Security] Potential open redirection with i18n.
 
 - [Security] Potential ability to delete files outside a repository.
 
+- [Security] Potential ability to set primary email on others' behalf from their verified emails.
 
 - [Security] Potential RCE on mirror repositories. [#5767](https://github.com/gogs/gogs/issues/5767)
 
 - [Security] Potential XSS attack with raw markdown API. [#5907](https://github.com/gogs/gogs/pull/5907)
 
 - Open/close milestone redirects to a 404 page. [#5677](https://github.com/gogs/gogs/issues/5677)

+ 2 - 2
Makefile
Parādīt failu 

@@ -42,7 +42,7 @@ pack:
 
 
 release: build pack
 
 
-generate: $(ASSETS_GENERATED)
 
+generate: clean $(ASSETS_GENERATED)
 
 
 internal/assets/conf/conf_gen.go: $(CONF_FILES)
 
 	-rm -f $@
 
@@ -59,7 +59,7 @@ internal/assets/public/public_gen.go: $(PUBLIC_FILES)
 
 	go generate internal/assets/public/public.go
 
 	gofmt -s -w $@
 
 
-less: public/css/gogs.min.css
 
+less: clean public/css/gogs.min.css
 
 
 public/css/gogs.min.css: $(LESS_FILES)
 
 	@type lessc >/dev/null 2>&1 && lessc --clean-css --source-map "public/less/gogs.less" $@ || echo "lessc command not found or failed"

+ 5 - 1
internal/db/user_mail.go
Parādīt failu 

@@ -160,7 +160,7 @@ func DeleteEmailAddresses(emails []*EmailAddress) (err error) {
 
 	return nil
 
 }
 
 
-func MakeEmailPrimary(email *EmailAddress) error {
 
+func MakeEmailPrimary(userID int64, email *EmailAddress) error {
 
 	has, err := x.Get(email)
 
 	if err != nil {
 
 		return err
 
@@ -168,6 +168,10 @@ func MakeEmailPrimary(email *EmailAddress) error {
 
 		return errors.EmailNotFound{Email: email.Email}
 
 	}
 
 
+	if email.UID != userID {
 
+		return errors.New("not the owner of the email")
 
+	}
 
+
 
 	if !email.IsActivated {
 
 		return errors.EmailNotVerified{Email: email.Email}
 
 	}

+ 1 - 1
internal/route/user/setting.go
Parādīt failu 

@@ -237,7 +237,7 @@ func SettingsEmailPost(c *context.Context, f form.AddEmail) {
 
 
 	// Make emailaddress primary.
 
 	if c.Query("_method") == "PRIMARY" {
 
-		if err := db.MakeEmailPrimary(&db.EmailAddress{ID: c.QueryInt64("id")}); err != nil {
 
+		if err := db.MakeEmailPrimary(c.UserID(), &db.EmailAddress{ID: c.QueryInt64("id")}); err != nil {
 
 			c.ServerError("MakeEmailPrimary", err)
 
 			return
 
 		}

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5