jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fix exploit allowing dmail filters to be set on other users.

Browse Source 
Exploit:

    curl \
      -u $USERNAME:$API_KEY \
      -X PUT "http://danbooru.donmai.us/maintenance/user/dmail_filter.json?dmail_id=1" \
      -d "dmail_filter[words]=owned&dmail_filter[user_id]=2"

...where dmail_id is any dmail you own (doesn't matter which) and user_id is the victim.
This commit is contained in:
evazion
2016-11-11 23:57:55 -06:00
parent 2dadad395b
commit a16b91e2bf
2 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/maintenance/user/dmail_filters_controller.rb
View File

@@ -10,7 +10,7 @@ module Maintenance
def update def update
@dmail_filter = CurrentUser.dmail_filter || DmailFilter.new @dmail_filter = CurrentUser.dmail_filter || DmailFilter.new
@dmail_filter.update_attributes(params[:dmail_filter]) @dmail_filter.update(params.require(:dmail_filter).permit(:words), :as => CurrentUser.role)
flash[:notice] = "Filter updated" flash[:notice] = "Filter updated"
redirect_to(dmail_path(@dmail.id)) redirect_to(dmail_path(@dmail.id))
end end

2
app/models/dmail_filter.rb
View File

@@ -1,6 +1,6 @@
class DmailFilter < ActiveRecord::Base class DmailFilter < ActiveRecord::Base
belongs_to :user belongs_to :user
attr_accessible :user_id, :words, :as => [:moderator, :janitor, :gold, :member, :anonymous, :default, :builder, :admin] attr_accessible :words, :as => [:moderator, :janitor, :gold, :member, :anonymous, :default, :builder, :admin]
validates_presence_of :user validates_presence_of :user
before_validation :initialize_user before_validation :initialize_user