From: Nik Okuntseff Date: Fri, 27 Jul 2018 20:29:50 +0000 (+0000) Subject: Security fix for reports. X-Git-Tag: timetracker_1.19-1~800 X-Git-Url: http://wagnertech.de/git?a=commitdiff_plain;h=3d9beabc77b40f26d2ae76269d03ca1c379f0bd0;p=timetracker.git Security fix for reports. --- diff --git a/WEB-INF/lib/ttReportHelper.class.php b/WEB-INF/lib/ttReportHelper.class.php index 74ddd582..acf33681 100644 --- a/WEB-INF/lib/ttReportHelper.class.php +++ b/WEB-INF/lib/ttReportHelper.class.php @@ -1936,4 +1936,26 @@ class ttReportHelper { */ return $options; } + + // verifyBean is a security function to make sure data in bean makes sense for a group. + static function verifyBean($bean) { + global $user; + + // Check users. + $users_in_bean = $bean->getAttribute('users'); + if (is_array($users_in_bean)) { + $users_in_group = ttTeamHelper::getUsers(); + foreach ($users_in_group as $user_in_group) { + $valid_ids[] = $user_in_group['id']; + } + foreach ($users_in_bean as $user_in_bean) { + if (!in_array($user_in_bean, $valid_ids)) { + return false; + } + } + } + + // TODO: add additional checks here. Perhaps do it before saving the bean for consistency. + return true; + } } diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl index 33aba4ff..5b3bf4e7 100644 --- a/WEB-INF/templates/footer.tpl +++ b/WEB-INF/templates/footer.tpl @@ -12,7 +12,7 @@
-
 Anuko Time Tracker 1.17.93.4292 | Copyright © Anuko | +  Anuko Time Tracker 1.17.94.4293 | Copyright © Anuko | {$i18n.footer.credits} | {$i18n.footer.license} | {$i18n.footer.improve} diff --git a/reports.php b/reports.php index 0565cf71..79c011f9 100644 --- a/reports.php +++ b/reports.php @@ -35,6 +35,7 @@ import('Period'); import('ttProjectHelper'); import('ttFavReportHelper'); import('ttClientHelper'); +import('ttReportHelper'); // Access check. if (!(ttAccessAllowed('view_own_reports') || ttAccessAllowed('view_reports') || ttAccessAllowed('view_all_reports'))) { @@ -334,6 +335,9 @@ if ($request->isPost()) { } $bean->saveBean(); + // Check some more values. TODO: Perhaps it's not a good place to check values, re-evaluate this. + // Also make sure other post variations are sane. + if (!ttReportHelper::verifyBean($bean)) $err->add($i18n->get('error.sys')); if ($err->no()) { // Now we can go ahead and create a report.