From f9f5d7188b71203558b97968081f72734df35e15 Mon Sep 17 00:00:00 2001
From: Frederic Guillot <fred@kanboard.net>
Date: Fri, 4 Mar 2016 22:06:55 -0500
Subject: Fix security issue: Unexpected access to any tasks from a shared
 public board

---
 ChangeLog               | 4 ++++
 app/Controller/Task.php | 8 ++++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 82c4ad78..5f8f154c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,10 @@ Improvements:
 
 * Added support for HTTP header "X-Forwarded-Proto: https"
 
+Security issues:
+
+* Access allowed to any tasks from the shared public board by changing the URL parameters
+
 Version 1.0.26
 --------------
 
diff --git a/app/Controller/Task.php b/app/Controller/Task.php
index 5f35be55..56d222d0 100644
--- a/app/Controller/Task.php
+++ b/app/Controller/Task.php
@@ -23,13 +23,17 @@ class Task extends Base
 
         // Token verification
         if (empty($project)) {
-            $this->forbidden(true);
+            return $this->forbidden(true);
         }
 
         $task = $this->taskFinder->getDetails($this->request->getIntegerParam('task_id'));
 
         if (empty($task)) {
-            $this->notfound(true);
+            return $this->notfound(true);
+        }
+
+        if ($task['project_id'] != $project['id']) {
+            return $this->forbidden(true);
         }
 
         $this->response->html($this->helper->layout->app('task/public', array(
-- 
cgit v1.2.3