From 6a3af138170819b68f5f693ac98eccdc2698ec00 Mon Sep 17 00:00:00 2001 From: Kienan Stewart Date: Wed, 25 Sep 2019 17:05:57 -0400 Subject: [PATCH] Filter db information searches to limit results to databases owned by current user --- bureau/class/m_mysql.php | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/bureau/class/m_mysql.php b/bureau/class/m_mysql.php index 28d648c6..403beb45 100644 --- a/bureau/class/m_mysql.php +++ b/bureau/class/m_mysql.php @@ -592,9 +592,22 @@ class m_mysql { function get_defaultsparam($dbn) { - global $db, $msg, $cuid; + global $db, $mem, $msg, $cuid; $msg->debug("mysql", "getdefaults"); + $login=$mem->user["login"]; + # The first condition allows us to access our "default" database, where the + # name matches exactly our login name. The second condition allows us to + # access the other databases suffixed with "_.*" + # The condition is split into two here to avoid the following situation: + # * Given two accounts "example" and "exampleb", with defaults (un-suffixed) + # databases, the user of account "example" could read the parameter information + # for "exampleb". + if (($dbn != $login) && !preg_match("#^$login\_#", $dbn)) { + $msg->raise("ERROR", "mysql",_("Database not found")." (5)"); + return false; + } + $dbu = $dbn; $r = array(); $dbn = str_replace('_', '\_', $dbn); @@ -624,7 +637,7 @@ class m_mysql { } } - if (!$db->query("SELECT name,password from dbusers where name= ? ;", array($dbu))) { + if (!$db->query("SELECT name,password from dbusers where name= ? and uid= ? ;", array($dbu, $cuid))) { $msg->raise("ERROR", "mysql",_("Database not found")." (3)"); return false; }