[pkg-horde] Bug#464058: turba access checking issue

Peter Paul Elfferich pp at dia.uva.nl
Thu Feb 7 11:32:06 UTC 2008 

Hey Chuck, Gregory,

I've also tested the patch. It successfully secures the data, but it also
silently removes the non editable contacts from contact lists as the list is
viewed.  Are you or are you not supposed to be able to add contacts from one
address book to a contact list in another address book? If not then users
should also no longer be able to add contacts to contact lists from other
address books.

Regards,

Peter Paul

On Feb 7, 2008 2:37 AM, Gregory Colpart <reg at evolix.fr> wrote:

> Hi Chuck,
>
> On Tue, Feb 05, 2008 at 03:25:10PM -0500, Chuck Hagenbuch wrote:
> > Hi Gregory.
> >
> > Can you please test this patch on Turba 2.1.x?
> >
> > I have a more comprehensive update for Turba 2.2.x and HEAD which
> > cleans up the _read() function's API a bit more but has the same
> > effect. In my tests it denies access properly now.
> >
> > Also, if you're curious: the issue is that you can access other user's
> > contacts in the same database table ("source") by specifying your own
> > source id in the URL, but a contact id of another user's contact. I
> > can't reproduce or find any issues other than that - can you confirm?
> >
> > Thanks,
> > -chuck
> >
> >
> > Index: lib/Driver/sql.php
> > ===================================================================
> > RCS file: /repository/turba/lib/Driver/sql.php,v
> > retrieving revision 1.59.10.17
> > diff -u -r1.59.10.17 sql.php
> > --- lib/Driver/sql.php        30 Nov 2006 21:33:47 -0000      1.59.10.17
> > +++ lib/Driver/sql.php        5 Feb 2008 20:35:43 -0000
> > @@ -182,6 +182,15 @@
> >              $where = $criteria . ' = ?';
> >              $values[] = $this->_convertToDriver($id);
> >          }
> > +        if (isset($this->map['__owner'])) {
> > +            if ($this->usingShares) {
> > +                $owner = $this->share->get('uid');
> > +            } else {
> > +                $owner = Auth::getAuth();
> > +            }
> > +            $where .= ' AND ' . $this->map['__owner'] . ' = ?';
> > +            $values[] = $this->_convertToDriver($owner);
> > +        }
> >          if (!empty($this->_params['filter'])) {
> >              $where .= ' AND ' . $this->_params['filter'];
> >          }
> >
>
> I test your patch with success. I have now a "no results" message
> when I try to edit a contact owned by a different user.
>
> (Note: I Cc: Debian BTS because it's an unembargoed bug ;)
>
> Regards,
> --
> Gregory Colpart <reg at evolix.fr>  GnuPG:1024D/C1027A0E
> Evolix - Informatique et Logiciels Libres http://www.evolix.fr/
>
>
>
> --
> To unsubscribe, send mail to 464058-unsubscribe at bugs.debian.org.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.alioth.debian.org/pipermail/pkg-horde-hackers/attachments/20080207/cdbdb62c/attachment.htm

More information about the pkg-horde-hackers mailing list