jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fix exploit allowing dmail filters to be set on other users.

Browse Source 
Exploit:

    curl \
      -u $USERNAME:$API_KEY \
      -X PUT "http://danbooru.donmai.us/maintenance/user/dmail_filter.json?dmail_id=1" \
      -d "dmail_filter[words]=owned&dmail_filter[user_id]=2"

...where dmail_id is any dmail you own (doesn't matter which) and user_id is the victim.
This commit is contained in:
evazion
2016-11-11 23:57:55 -06:00
parent 2dadad395b
commit a16b91e2bf
2 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/models/dmail_filter.rb
View File

@@ -1,6 +1,6 @@
class DmailFilter < ActiveRecord::Base
belongs_to :user
attr_accessible :user_id, :words, :as => [:moderator, :janitor, :gold, :member, :anonymous, :default, :builder, :admin]
attr_accessible :words, :as => [:moderator, :janitor, :gold, :member, :anonymous, :default, :builder, :admin]
validates_presence_of :user
before_validation :initialize_user