diff options
| author | Frederic Guillot <fred@kanboard.net> | 2016-03-04 22:06:55 -0500 |
|---|---|---|
| committer | Frederic Guillot <fred@kanboard.net> | 2016-03-04 22:06:55 -0500 |
| commit | f9f5d7188b71203558b97968081f72734df35e15 (patch) | |
| tree | 8de4bc7f721ef1f0fe9f39174f8d52c61724e43c | |
| parent | a7f3e3bec50762f2083f70672a0ba3db533fc8bb (diff) | |
Fix security issue: Unexpected access to any tasks from a shared public board
| -rw-r--r-- | ChangeLog | 4 | ||||
| -rw-r--r-- | app/Controller/Task.php | 8 |
2 files changed, 10 insertions, 2 deletions
@@ -5,6 +5,10 @@ Improvements: * Added support for HTTP header "X-Forwarded-Proto: https" +Security issues: + +* Access allowed to any tasks from the shared public board by changing the URL parameters + Version 1.0.26 -------------- diff --git a/app/Controller/Task.php b/app/Controller/Task.php index 5f35be55..56d222d0 100644 --- a/app/Controller/Task.php +++ b/app/Controller/Task.php @@ -23,13 +23,17 @@ class Task extends Base // Token verification if (empty($project)) { - $this->forbidden(true); + return $this->forbidden(true); } $task = $this->taskFinder->getDetails($this->request->getIntegerParam('task_id')); if (empty($task)) { - $this->notfound(true); + return $this->notfound(true); + } + + if ($task['project_id'] != $project['id']) { + return $this->forbidden(true); } $this->response->html($this->helper->layout->app('task/public', array( |