| Summary | Privacy error with private sql address books |
| Queue | Turba |
| Queue Version | 1.2.2 |
| Type | Bug |
| State | Resolved |
| Priority | 2. Medium |
| Owners | chuck (at) horde (dot) org |
| Requester | jhuuskon (at) iki (dot) fi |
| Created | 10/07/2004 (7582 days ago) |
| Due | |
| Updated | 10/10/2004 (7579 days ago) |
| Assigned | 10/08/2004 (7581 days ago) |
| Resolved | 10/10/2004 (7579 days ago) |
| Github Issue Link | |
| Github Pull Request | |
| Milestone | |
| Patch | No |
State ⇒ Resolved
any future versions of Turba 1.2 and definitely in Turba 2.0.
State ⇒ Assigned
State ⇒ Unconfirmed
Priority ⇒ 2. Medium
Type ⇒ Bug
Summary ⇒ Privacy error with private sql address books
Queue ⇒ Turba
When adding an entry (calling addobjectaction.php) user can define the
owner_id database column -> user can add an entry in anybody's
private sql address book.
I've a private address book configured like this:
'title' => 'My Addressbook',
'type' => 'sql',
'params' => array(
'phptype' => 'mysql',
'hostspec' => 'localhost', // username, db, password removed
'table' => 'turba_objects'
),
/* missing options straight from sources.php.dist */
'public' => false,
'readonly' => false,
'admin' => array(),
'export' => true
);
In the "Add" form there's a hidden field:
<input type="hidden" name="object[__owner]"
value="invaliduser@not.my.domain"/>
If the user set's the object[__owner] value he/she can add an entry to
anybody's address book.
AFAIK the problem is that addobjectaction.php doesn't check that the
form value is the same as Auth::getAuth() (or that Auth::getAuth() belongs
to the 'admin' => array()) ???
(also after reading thru deleteobject.php it seems that when removing
entries the only check is that object_id matches the 'key' form data,
I think the code should check that Auth::getAuth matches owner_id or
is in the admin array).
-Jarno