oqapi/webgui
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

- security: A vulnerability was found and fixed this morning that could allow a

Browse source 
malicious user to delete assets that they don't have rights to.
This commit is contained in:
JT Smith 2007-01-26 14:54:09 +00:00
parent 0eba64bc52
commit e56bbe371f
2 changed files with 3 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

2
docs/changelog/7.x.x.txt
View file

@ -9,6 +9,8 @@
- fix: The upgrade script will remove any orphaned EventsCalendars and - fix: The upgrade script will remove any orphaned EventsCalendars and
Events. Events.
- fix: Media Folder (perlDreamer Consulting, LLC) - fix: Media Folder (perlDreamer Consulting, LLC)
- security: A vulnerability was found and fixed this morning that could allow a
malicious user to delete assets that they don't have rights to.
7.3.7 7.3.7

3
lib/WebGUI/AssetTrash.pm
View file

@ -277,10 +277,9 @@ Purges a piece of content, including all it's revisions, from the system permane
sub www_purgeList { sub www_purgeList {
my $self = shift; my $self = shift;
return $self->session->privilege->insufficient() unless $self->canEdit;
foreach my $id ($self->session->form->param("assetId")) { foreach my $id ($self->session->form->param("assetId")) {
my $asset = WebGUI::Asset->newByDynamicClass($self->session,$id); my $asset = WebGUI::Asset->newByDynamicClass($self->session,$id);
$asset->purge; $asset->purge unless $asset->canEdit;
} }
if ($self->session->form->process("proceed") ne "") { if ($self->session->form->process("proceed") ne "") {
my $method = "www_".$self->session->form->process("proceed"); my $method = "www_".$self->session->form->process("proceed");