5 years ago · 529694dc6d
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -37,6 +37,7 @@ All notable changes to Gogs are documented in this file.
 
															 - [Security] Potential open redirection with i18n.
														
 
															 - [Security] Potential ability to delete files outside a repository.
														
 
															+- [Security] Potential ability to set primary email on others' behalf from their verified emails.
														
 
															 - [Security] Potential RCE on mirror repositories. [#5767](https://github.com/gogs/gogs/issues/5767)
														
 
															 - [Security] Potential XSS attack with raw markdown API. [#5907](https://github.com/gogs/gogs/pull/5907)
														
 
															 - Open/close milestone redirects to a 404 page. [#5677](https://github.com/gogs/gogs/issues/5677)
														
--- a/Makefile
+++ b/Makefile
@@ -42,7 +42,7 @@ pack:
 
															 release: build pack
														
 
															-generate: $(ASSETS_GENERATED)
														
 
															+generate: clean $(ASSETS_GENERATED)
														
 
															 internal/assets/conf/conf_gen.go: $(CONF_FILES)
														
 
															 	-rm -f $@
														
@@ -59,7 +59,7 @@ internal/assets/public/public_gen.go: $(PUBLIC_FILES)
 
															 	go generate internal/assets/public/public.go
														
 
															 	gofmt -s -w $@
														
 
															-less: public/css/gogs.min.css
														
 
															+less: clean public/css/gogs.min.css
														
 
															 public/css/gogs.min.css: $(LESS_FILES)
														
 
															 	@type lessc >/dev/null 2>&1 && lessc --clean-css --source-map "public/less/gogs.less" $@ || echo "lessc command not found or failed"
														
--- a/internal/db/user_mail.go
+++ b/internal/db/user_mail.go
@@ -160,7 +160,7 @@ func DeleteEmailAddresses(emails []*EmailAddress) (err error) {
 
															 	return nil
														
 
															 }
														
 
															-func MakeEmailPrimary(email *EmailAddress) error {
														
 
															+func MakeEmailPrimary(userID int64, email *EmailAddress) error {
														
 
															 	has, err := x.Get(email)
														
 
															 	if err != nil {
														
 
															 		return err
														
@@ -168,6 +168,10 @@ func MakeEmailPrimary(email *EmailAddress) error {
 
															 		return errors.EmailNotFound{Email: email.Email}
														
 
															 	}
														
 
															+	if email.UID != userID {
														
 
															+		return errors.New("not the owner of the email")
														
 
															+	}
														
 
															+
														
 
															 	if !email.IsActivated {
														
 
															 		return errors.EmailNotVerified{Email: email.Email}
														
 
															 	}
														
--- a/internal/route/user/setting.go
+++ b/internal/route/user/setting.go
@@ -237,7 +237,7 @@ func SettingsEmailPost(c *context.Context, f form.AddEmail) {
 
															 	// Make emailaddress primary.
														
 
															 	if c.Query("_method") == "PRIMARY" {
														
 
															-		if err := db.MakeEmailPrimary(&db.EmailAddress{ID: c.QueryInt64("id")}); err != nil {
														
 
															+		if err := db.MakeEmailPrimary(c.UserID(), &db.EmailAddress{ID: c.QueryInt64("id")}); err != nil {
														
 
															 			c.ServerError("MakeEmailPrimary", err)
														
 
															 			return
														
 
															 		}