From 6049832b03939736d25e0afacb393a7e3cd84044 Mon Sep 17 00:00:00 2001 From: Bartek Fabiszewski Date: Wed, 12 Apr 2017 16:20:06 +0200 Subject: [PATCH] Fix: unauthorized access to other users' tracks, positions --- utils/download.php | 12 +++++++++--- utils/getpositions.php | 25 ++++++++++++++----------- utils/gettracks.php | 12 ++++++++---- 3 files changed, 31 insertions(+), 18 deletions(-) diff --git a/utils/download.php b/utils/download.php index 6a98dfc..26d6ee2 100755 --- a/utils/download.php +++ b/utils/download.php @@ -17,7 +17,7 @@ * along with this program; if not, see . */ -require_once(dirname(__DIR__) . "/auth.php"); // sets $mysqli, $user +require_once(dirname(__DIR__) . "/auth.php"); // sets $mysqli, $user, $config require_once(ROOT_DIR . "/helpers/position.php"); /** @@ -54,8 +54,14 @@ function toHMS($s) { } $type = isset($_REQUEST["type"]) ? $_REQUEST["type"] : "kml"; -$userId = (isset($_REQUEST["userid"]) && is_numeric($_REQUEST["userid"])) ? $_REQUEST["userid"] : NULL; -$trackId = (isset($_REQUEST["trackid"]) && is_numeric($_REQUEST["trackid"])) ? $_REQUEST["trackid"] : NULL; +$userId = (isset($_REQUEST["userid"]) && is_numeric($_REQUEST["userid"])) ? (int) $_REQUEST["userid"] : NULL; +$trackId = (isset($_REQUEST["trackid"]) && is_numeric($_REQUEST["trackid"])) ? (int) $_REQUEST["trackid"] : NULL; + +if ($config::$require_authentication && !$user->isAdmin && $user->id !== $userId) { + // unauthorized + $mysqli->close(); + exit(); +} if ($config::$units == "imperial") { $factor_kmh = 0.62; //to mph diff --git a/utils/getpositions.php b/utils/getpositions.php index 847a1bb..fb9753b 100755 --- a/utils/getpositions.php +++ b/utils/getpositions.php @@ -17,22 +17,25 @@ * along with this program; if not, see . */ -require_once(dirname(__DIR__) . "/auth.php"); // sets $mysqli, $user +require_once(dirname(__DIR__) . "/auth.php"); // sets $mysqli, $user, $config require_once(ROOT_DIR . "/helpers/position.php"); -$userId = (isset($_REQUEST["userid"]) && is_numeric($_REQUEST["userid"])) ? $_REQUEST["userid"] : NULL; -$trackId = (isset($_REQUEST["trackid"]) && is_numeric($_REQUEST["trackid"])) ? $_REQUEST["trackid"] : NULL; +$userId = (isset($_REQUEST["userid"]) && is_numeric($_REQUEST["userid"])) ? (int) $_REQUEST["userid"] : NULL; +$trackId = (isset($_REQUEST["trackid"]) && is_numeric($_REQUEST["trackid"])) ? (int) $_REQUEST["trackid"] : NULL; if ($userId) { - $position = new uPosition(); $positionsArr = []; - if ($trackId) { - // get all track data - $positionsArr = $position->getAll($userId, $trackId); - } else { - // get data only for latest point - $position->getLast($userId); - $positionsArr[] = $position; + + if (!$config::$require_authentication || $user->isAdmin || $user->id === $userId) { + $position = new uPosition(); + if ($trackId) { + // get all track data + $positionsArr = $position->getAll($userId, $trackId); + } else { + // get data only for latest point + $position->getLast($userId); + $positionsArr[] = $position; + } } header("Content-type: text/xml"); diff --git a/utils/gettracks.php b/utils/gettracks.php index b31d98e..b2223b6 100755 --- a/utils/gettracks.php +++ b/utils/gettracks.php @@ -17,14 +17,18 @@ * along with this program; if not, see . */ -require_once(dirname(__DIR__) . "/auth.php"); // sets $mysqli, $user +require_once(dirname(__DIR__) . "/auth.php"); // sets $mysqli, $user, $config require_once(ROOT_DIR . "/helpers/track.php"); -$userId = ((isset($_REQUEST["userid"]) && is_numeric($_REQUEST["userid"])) ? $_REQUEST["userid"] : 0); +$userId = (isset($_REQUEST["userid"]) && is_numeric($_REQUEST["userid"])) ? (int) $_REQUEST["userid"] : NULL; if ($userId) { - $track = new uTrack(); - $tracksArr = $track->getAll($userId); + $tracksArr = []; + + if (!$config::$require_authentication || $user->isAdmin || $user->id === $userId) { + $track = new uTrack(); + $tracksArr = $track->getAll($userId); + } header("Content-type: text/xml"); $xml = new XMLWriter();