Security fix for reports.

author Nik Okuntseff <support@anuko.com>

Fri, 27 Jul 2018 20:29:50 +0000 (20:29 +0000)

committer Nik Okuntseff <support@anuko.com>

Fri, 27 Jul 2018 20:29:50 +0000 (20:29 +0000)
author Nik Okuntseff <support@anuko.com>
Fri, 27 Jul 2018 20:29:50 +0000 (20:29 +0000)
committer Nik Okuntseff <support@anuko.com>
Fri, 27 Jul 2018 20:29:50 +0000 (20:29 +0000)
diff --git a/WEB-INF/lib/ttReportHelper.class.php b/WEB-INF/lib/ttReportHelper.class.php

index 74ddd58..acf3368 100644 (file)
--- a/WEB-INF/lib/ttReportHelper.class.php
+++ b/WEB-INF/lib/ttReportHelper.class.php
@@ -1936,4 +1936,26 @@ class ttReportHelper {
       */
      return $options;
    }
+
+  // verifyBean is a security function to make sure data in bean makes sense for a group.
+  static function verifyBean($bean) {
+    global $user;
+
+    // Check users.
+    $users_in_bean = $bean->getAttribute('users');
+    if (is_array($users_in_bean)) {
+      $users_in_group = ttTeamHelper::getUsers();
+      foreach ($users_in_group as $user_in_group) {
+        $valid_ids[] = $user_in_group['id'];
+      }
+      foreach ($users_in_bean as $user_in_bean) {
+        if (!in_array($user_in_bean, $valid_ids)) {
+          return false;
+        }
+      }
+    }
+
+    // TODO: add additional checks here. Perhaps do it before saving the bean for consistency.
+    return true;
+  }
  }
diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl

index 33aba4f..5b3bf4e 100644 (file)
--- a/WEB-INF/templates/footer.tpl
+++ b/WEB-INF/templates/footer.tpl
@@ -12,7 +12,7 @@
        <br>
        <table cellspacing="0" cellpadding="4" width="100%" border="0">
          <tr>
-          <td align="center">&nbsp;Anuko Time Tracker 1.17.93.4292 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
+          <td align="center">&nbsp;Anuko Time Tracker 1.17.94.4293 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
              <a href="https://www.anuko.com/lp/tt_4.htm" target="_blank">{$i18n.footer.credits}</a> |
              <a href="https://www.anuko.com/lp/tt_5.htm" target="_blank">{$i18n.footer.license}</a> |
              <a href="https://www.anuko.com/lp/tt_7.htm" target="_blank">{$i18n.footer.improve}</a>
diff --git a/reports.php b/reports.php

index 0565cf7..79c011f 100644 (file)
--- a/reports.php
+++ b/reports.php
@@ -35,6 +35,7 @@ import('Period');
  import('ttProjectHelper');
  import('ttFavReportHelper');
  import('ttClientHelper');
+import('ttReportHelper');
  
  // Access check.
  if (!(ttAccessAllowed('view_own_reports') || ttAccessAllowed('view_reports') || ttAccessAllowed('view_all_reports'))) {
@@ -334,6 +335,9 @@ if ($request->isPost()) {
      }
  
      $bean->saveBean();
+    // Check some more values. TODO: Perhaps it's not a good place to check values, re-evaluate this.
+    // Also make sure other post variations are sane.
+    if (!ttReportHelper::verifyBean($bean)) $err->add($i18n->get('error.sys'));
  
      if ($err->no()) {
        // Now we can go ahead and create a report.
author	Nik Okuntseff <support@anuko.com>
	Fri, 27 Jul 2018 20:29:50 +0000 (20:29 +0000)
committer	Nik Okuntseff <support@anuko.com>
	Fri, 27 Jul 2018 20:29:50 +0000 (20:29 +0000)
WEB-INF/lib/ttReportHelper.class.php		patch \| blob \| history
WEB-INF/templates/footer.tpl		patch \| blob \| history
reports.php		patch \| blob \| history