From 3530c41e7dff7217ee01974fb09dbb7b47b08e93 Mon Sep 17 00:00:00 2001 From: Roy Johnson Date: Thu, 23 Feb 2006 02:40:58 +0000 Subject: [PATCH] Merging 6.8.7 security fixes --- docs/changelog/6.x.x.txt | 12 ++++++++++++ lib/WebGUI/AssetBranch.pm | 3 ++- lib/WebGUI/AssetPackage.pm | 10 ++++++++-- 3 files changed, 22 insertions(+), 3 deletions(-) diff --git a/docs/changelog/6.x.x.txt b/docs/changelog/6.x.x.txt index 1b3c0ce6e..e34a683d7 100644 --- a/docs/changelog/6.x.x.txt +++ b/docs/changelog/6.x.x.txt @@ -44,6 +44,18 @@ - fix [ 1431098 ] op=becomeUser can become non-existent userIds - fix [ 1431944 ] 6.8.6 DataForm moving fields - fix [ 1433195 ] 6.8.6 In/Out board labels missing + - fix : Registered users can deploy packages (Thanks to Lucas Bartholemy + for his work on finding this bug) + - fix : Package will deploy assets not defined as packages (Thanks to Lucas + Bartholemy for his work on finding this bug) + - fix : editBranchSave method does not check that user is a content + manager (Thanks to Lucas Bartholemy for his work on finding this bug) + - fix : editBranchSave does not check privileges of descendants (Thanks to + Lucas Bartholemy for his work on finding this bug) + - fix : setParent does not check that user is a content manager (Colin + Kuskie / Thanks to Lucas Bartholemy for his work on finding this bug) + - fix : setParent does not check permissions of target page (Colin Kuskie + / Thanks to Lucas Bartholemy for his work on finding this bug) 6.8.6 - Added logic to deal with case sensitivity and whitespace problems in LDAP diff --git a/lib/WebGUI/AssetBranch.pm b/lib/WebGUI/AssetBranch.pm index 9fee40665..6b37f9bae 100644 --- a/lib/WebGUI/AssetBranch.pm +++ b/lib/WebGUI/AssetBranch.pm @@ -272,7 +272,7 @@ Verifies proper inputs in the Asset Tree and saves them. Returns ManageAssets me sub www_editBranchSave { my $self = shift; - return $self->session->privilege->insufficient() unless ($self->canEdit); + return $self->session->privilege->insufficient() unless ($self->canEdit && WebGUI::Grouping::isInGroup('4')); my %data; $data{isHidden} = $self->session->form->yesNo("isHidden") if ($self->session->form->yesNo("change_isHidden")); $data{newWindow} = $self->session->form->yesNo("newWindow") if ($self->session->form->yesNo("change_newWindow")); @@ -297,6 +297,7 @@ sub www_editBranchSave { } my $descendants = $self->getLineage(["self","descendants"],{returnObjects=>1}); foreach my $descendant (@{$descendants}) { + next unless $descendant->canEdit; my $url; if ($changeUrl) { if ($urlBaseBy eq "parentUrl") { diff --git a/lib/WebGUI/AssetPackage.pm b/lib/WebGUI/AssetPackage.pm index 4af79f324..bf16d7db3 100644 --- a/lib/WebGUI/AssetPackage.pm +++ b/lib/WebGUI/AssetPackage.pm @@ -81,10 +81,16 @@ Returns "". Deploys a Package. If canEdit is Fales, renders an insufficient Priv sub www_deployPackage { my $self = shift; - return $self->session->privilege->insufficient() unless $self->canEdit; - my $packageMasterAssetId = $self->session->form->process("assetId"); + # Must have edit rights to the asset deploying the package. Also, must be a Content Manager. + # This protects against non content managers deploying packages using a post or similar trickery. + return $self->session->privilege->insufficient() unless ($self->canEdit && WebGUI::Grouping::isInGroup('4')); + my $packageMasterAssetId = $session{form}{assetId}; if (defined $packageMasterAssetId) { my $packageMasterAsset = WebGUI::Asset->newByDynamicClass($packageMasterAssetId); + unless ($packageMasterAsset->getValue('isPackage')) { #only deploy packages + WebGUI::ErrorHandler::security('deploy an asset as a package which was not set as a package.'); + return; + } my $masterLineage = $packageMasterAsset->get("lineage"); if (defined $packageMasterAsset && $packageMasterAsset->canView && $self->get("lineage") !~ /^$masterLineage/) { my $deployedTreeMaster = $self->duplicateBranch($packageMasterAsset);