From d5d0ad50fa33eb9e0fff32c24a0ce65f03bbc352 Mon Sep 17 00:00:00 2001 From: Ileana Maricel Barrionuevo Date: Wed, 21 Jul 2021 22:08:41 -0300 Subject: [PATCH 1/3] Fixed security issue: a user could edit others' shelves. --- cps/shelf.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cps/shelf.py b/cps/shelf.py index 431eeff8c..9556ba666 100644 --- a/cps/shelf.py +++ b/cps/shelf.py @@ -235,6 +235,8 @@ def create_shelf(): @login_required def edit_shelf(shelf_id): shelf = ub.session.query(ub.Shelf).filter(ub.Shelf.id == shelf_id).first() + if not shelf.user_id == int(current_user.id): + return "Sorry you are not allowed to edit this shelf", 403 return create_edit_shelf(shelf, title=_(u"Edit a shelf"), page="shelfedit", shelf_id=shelf_id) From c8ebaee0f76d5b404cd2d5fd17df9f27795abc49 Mon Sep 17 00:00:00 2001 From: Ileana Maricel Barrionuevo Date: Thu, 22 Jul 2021 00:41:07 -0300 Subject: [PATCH 2/3] Security fix improved: user should not edit other shelve's titles --- cps/shelf.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/cps/shelf.py b/cps/shelf.py index 9556ba666..229eaade1 100644 --- a/cps/shelf.py +++ b/cps/shelf.py @@ -235,8 +235,9 @@ def create_shelf(): @login_required def edit_shelf(shelf_id): shelf = ub.session.query(ub.Shelf).filter(ub.Shelf.id == shelf_id).first() - if not shelf.user_id == int(current_user.id): - return "Sorry you are not allowed to edit this shelf", 403 + if not check_shelf_edit_permissions(shelf): + flash(_(u"Sorry you are not allowed to edit this shelf: "),category="error") + return redirect(url_for('web.index')) return create_edit_shelf(shelf, title=_(u"Edit a shelf"), page="shelfedit", shelf_id=shelf_id) From 59881367fe199f8a1b661dc78c312fccf9e1eadf Mon Sep 17 00:00:00 2001 From: Ileana Maricel Barrionuevo Date: Thu, 22 Jul 2021 01:05:11 -0300 Subject: [PATCH 3/3] Security fixes: Report 85176e1f-7920-4824-87ea-8eb5b5e505e0: Exposure of Private Personal Information to an Unauthorized Actor in janeczku/calibre-web --- cps/shelf.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/cps/shelf.py b/cps/shelf.py index 229eaade1..8ec4da455 100644 --- a/cps/shelf.py +++ b/cps/shelf.py @@ -72,10 +72,9 @@ def add_to_shelf(shelf_id, book_id): if not check_shelf_edit_permissions(shelf): if not xhr: - flash(_(u"Sorry you are not allowed to add a book to the the shelf: %(shelfname)s", shelfname=shelf.name), - category="error") + flash(_(u"Sorry you are not allowed to add a book to the the shelf"), category="error") return redirect(url_for('web.index')) - return "Sorry you are not allowed to add a book to the the shelf: %s" % shelf.name, 403 + return "Sorry you are not allowed to add a book to the that shelf", 403 book_in_shelf = ub.session.query(ub.BookShelf).filter(ub.BookShelf.shelf == shelf_id, ub.BookShelf.book_id == book_id).first() @@ -236,7 +235,7 @@ def create_shelf(): def edit_shelf(shelf_id): shelf = ub.session.query(ub.Shelf).filter(ub.Shelf.id == shelf_id).first() if not check_shelf_edit_permissions(shelf): - flash(_(u"Sorry you are not allowed to edit this shelf: "),category="error") + flash(_(u"Sorry you are not allowed to edit this shelf"), category="error") return redirect(url_for('web.index')) return create_edit_shelf(shelf, title=_(u"Edit a shelf"), page="shelfedit", shelf_id=shelf_id)