sven/ulogger-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix: unauthorized access to other users' tracks, positions

Browse Source
This commit is contained in:
Bartek Fabiszewski 2017-04-12 16:20:06 +02:00
parent 5318686626
commit 6049832b03
3 changed files with 31 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
utils/download.php
View File

@ -17,7 +17,7 @@
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
require_once(dirname(__DIR__) . "/auth.php"); // sets $mysqli, $user
require_once(dirname(__DIR__) . "/auth.php"); // sets $mysqli, $user, $config
require_once(ROOT_DIR . "/helpers/position.php");
/**
@ -54,8 +54,14 @@ function toHMS($s) {
}
$type = isset($_REQUEST["type"]) ? $_REQUEST["type"] : "kml";
$userId = (isset($_REQUEST["userid"]) && is_numeric($_REQUEST["userid"])) ? $_REQUEST["userid"] : NULL;
$trackId = (isset($_REQUEST["trackid"]) && is_numeric($_REQUEST["trackid"])) ? $_REQUEST["trackid"] : NULL;
$userId = (isset($_REQUEST["userid"]) && is_numeric($_REQUEST["userid"])) ? (int) $_REQUEST["userid"] : NULL;
$trackId = (isset($_REQUEST["trackid"]) && is_numeric($_REQUEST["trackid"])) ? (int) $_REQUEST["trackid"] : NULL;
if ($config::$require_authentication && !$user->isAdmin && $user->id !== $userId) {
// unauthorized
$mysqli->close();
exit();
}
if ($config::$units == "imperial") {
$factor_kmh = 0.62; //to mph

25
utils/getpositions.php
View File

@ -17,22 +17,25 @@
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
require_once(dirname(__DIR__) . "/auth.php"); // sets $mysqli, $user
require_once(dirname(__DIR__) . "/auth.php"); // sets $mysqli, $user, $config
require_once(ROOT_DIR . "/helpers/position.php");
$userId = (isset($_REQUEST["userid"]) && is_numeric($_REQUEST["userid"])) ? $_REQUEST["userid"] : NULL;
$trackId = (isset($_REQUEST["trackid"]) && is_numeric($_REQUEST["trackid"])) ? $_REQUEST["trackid"] : NULL;
$userId = (isset($_REQUEST["userid"]) && is_numeric($_REQUEST["userid"])) ? (int) $_REQUEST["userid"] : NULL;
$trackId = (isset($_REQUEST["trackid"]) && is_numeric($_REQUEST["trackid"])) ? (int) $_REQUEST["trackid"] : NULL;
if ($userId) {
$position = new uPosition();
$positionsArr = [];
if ($trackId) {
// get all track data
$positionsArr = $position->getAll($userId, $trackId);
} else {
// get data only for latest point
$position->getLast($userId);
$positionsArr[] = $position;
if (!$config::$require_authentication || $user->isAdmin || $user->id === $userId) {
$position = new uPosition();
if ($trackId) {
// get all track data
$positionsArr = $position->getAll($userId, $trackId);
} else {
// get data only for latest point
$position->getLast($userId);
$positionsArr[] = $position;
}
}
header("Content-type: text/xml");

12
utils/gettracks.php
View File

@ -17,14 +17,18 @@
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
require_once(dirname(__DIR__) . "/auth.php"); // sets $mysqli, $user
require_once(dirname(__DIR__) . "/auth.php"); // sets $mysqli, $user, $config
require_once(ROOT_DIR . "/helpers/track.php");
$userId = ((isset($_REQUEST["userid"]) && is_numeric($_REQUEST["userid"])) ? $_REQUEST["userid"] : 0);
$userId = (isset($_REQUEST["userid"]) && is_numeric($_REQUEST["userid"])) ? (int) $_REQUEST["userid"] : NULL;
if ($userId) {
$track = new uTrack();
$tracksArr = $track->getAll($userId);
$tracksArr = [];
if (!$config::$require_authentication || $user->isAdmin || $user->id === $userId) {
$track = new uTrack();
$tracksArr = $track->getAll($userId);
}
header("Content-type: text/xml");
$xml = new XMLWriter();