lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

FIX Privilege escalation reported by wizlynx WLX-2020-011

Browse Source
This commit is contained in:
Laurent Destailleur 2020-06-17 13:29:43 +02:00
parent 40e16672e3
commit 6660923e94
1 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
htdocs/core/lib/security.lib.php
View File

@ -277,9 +277,12 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
if (!$readok) accessforbidden();
//print "Read access is ok";
// Check write permission from module (we need to know write permission to create but also to delete drafts record)
// Check write permission from module (we need to know write permission to create but also to delete drafts record or to upload files)
$createok = 1; $nbko = 0;
if (GETPOST('action', 'aZ09') == 'create' || GETPOST('action', 'aZ09') == 'update' || ((GETPOST("action", "aZ09") == 'confirm_delete' && GETPOST("confirm", "aZ09") == 'yes') || GETPOST("action", "aZ09") == 'delete'))
$wemustcheckpermissionforcreate = (GETPOST('sendit', 'alpha') || GETPOST('linkit', 'alpha') || GETPOST('action', 'aZ09') == 'create' || GETPOST('action', 'aZ09') == 'update');
$wemustcheckpermissionfordeletedraft = ((GETPOST("action", "aZ09") == 'confirm_delete' && GETPOST("confirm", "aZ09") == 'yes') || GETPOST("action", "aZ09") == 'delete');
if ($wemustcheckpermissionforcreate || $wemustcheckpermissionfordeletedraft)
{
foreach ($featuresarray as $feature)
{
@ -341,7 +344,7 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
// If a or and at least one ok
if (preg_match('/\|/', $features) && $nbko < count($featuresarray)) $createok = 1;
if ((GETPOST('action', 'aZ09') == 'create' || GETPOST('action', 'aZ09') == 'update') && !$createok) accessforbidden();
if ($wemustcheckpermissionforcreate && !$createok) accessforbidden();
//print "Write access is ok";
}