Friendica/friendica-github
1
0
Fork 0
mirror of https://github.com/friendica/friendica synced 2025-04-28 00:30:10 +00:00
Code Issues Projects Releases Packages Wiki Activity

Ensure the private message recipient is valid in Mail::send

Browse source 
- Arbitrary input could be used to circumvent most restrictions regarding recipients (except contact relationship)
This commit is contained in:
Hypolite Petovan 2022-02-22 10:44:30 -05:00
parent b24fe917e4
commit 1d779c6193
2 changed files with 36 additions and 36 deletions
Download patch file Download diff file Expand all files Collapse all files

41
src/Core/ACL.php
View file

@ -51,7 +51,7 @@ class ACL
* @return string
* @throws \Exception
*/
public static function getMessageContactSelectHTML(int $selected = null)
public static function getMessageContactSelectHTML(int $selected = null): string
{
$o = '';
@ -62,25 +62,7 @@ class ACL
$page->registerStylesheet(Theme::getPathForFile('js/friendica-tagsinput/friendica-tagsinput.css'));
$page->registerStylesheet(Theme::getPathForFile('js/friendica-tagsinput/friendica-tagsinput-typeahead.css'));
$condition = [
'uid' => local_user(),
'self' => false,
'blocked' => false,
'pending' => false,
'archive' => false,
'deleted' => false,
'rel' => [Contact::FOLLOWER, Contact::SHARING, Contact::FRIEND],
'network' => Protocol::SUPPORT_PRIVATE,
];
$contacts = Contact::selectToArray(
['id', 'name', 'addr', 'micro'],
DBA::mergeConditions($condition, ["`notify` != ''"])
);
$arr = ['contact' => $contacts, 'entry' => $o];
Hook::callAll(DI::args()->getModuleName() . '_pre_recipient', $arr);
$contacts = self::getValidMessageRecipientsForUser(local_user());
$tpl = Renderer::getMarkupTemplate('acl/message_recipient.tpl');
$o = Renderer::replaceMacros($tpl, [
@ -93,6 +75,25 @@ class ACL
return $o;
}
public static function getValidMessageRecipientsForUser(int $uid): array
{
$condition = [
'uid' => $uid,
'self' => false,
'blocked' => false,
'pending' => false,
'archive' => false,
'deleted' => false,
'rel' => [Contact::FOLLOWER, Contact::SHARING, Contact::FRIEND],
'network' => Protocol::SUPPORT_PRIVATE,
];
return Contact::selectToArray(
['id', 'name', 'addr', 'micro', 'url', 'nick'],
DBA::mergeConditions($condition, ["`notify` != ''"])
);
}
/**
* Returns a minimal ACL block for self-only permissions
*