From 5f6a73b010c01587ffbfb954441f6b7cbb54e767 Mon Sep 17 00:00:00 2001 From: Steve Boyd Date: Wed, 27 Apr 2022 12:12:37 +1200 Subject: [PATCH] [CVE-2022-29858] Read grant config for regenerate_shortcode --- src/Shortcodes/ImageShortcodeProvider.php | 4 +- .../Shortcodes/ImageShortcodeProviderTest.php | 41 +++++++++++++++++++ 2 files changed, 44 insertions(+), 1 deletion(-) diff --git a/src/Shortcodes/ImageShortcodeProvider.php b/src/Shortcodes/ImageShortcodeProvider.php index e68c7abd..2d5e9ea2 100644 --- a/src/Shortcodes/ImageShortcodeProvider.php +++ b/src/Shortcodes/ImageShortcodeProvider.php @@ -136,10 +136,12 @@ public static function handle_shortcode($args, $content, $parser, $shortcode, $e */ public static function regenerate_shortcode($args, $content, $parser, $shortcode, $extra = []) { + $allowSessionGrant = static::config()->allow_session_grant; + // Check if there is a suitable record $record = static::find_shortcode_record($args); if ($record) { - $args['src'] = $record->getURL(); + $args['src'] = $record->getURL($allowSessionGrant); } // Rebuild shortcode diff --git a/tests/php/Shortcodes/ImageShortcodeProviderTest.php b/tests/php/Shortcodes/ImageShortcodeProviderTest.php index be43739f..572c207a 100644 --- a/tests/php/Shortcodes/ImageShortcodeProviderTest.php +++ b/tests/php/Shortcodes/ImageShortcodeProviderTest.php @@ -4,11 +4,17 @@ use SilverStripe\Assets\File; use Silverstripe\Assets\Dev\TestAssetStore; +use SilverStripe\Assets\FilenameParsing\ParsedFileID; +use SilverStripe\Assets\Storage\AssetStore; use SilverStripe\Core\Config\Config; use SilverStripe\Dev\SapphireTest; use SilverStripe\View\Parsers\ShortcodeParser; use SilverStripe\Assets\Image; use SilverStripe\Assets\Shortcodes\ImageShortcodeProvider; +use SilverStripe\Assets\Shortcodes\FileShortcodeProvider; +use SilverStripe\Core\Injector\Injector; +use SilverStripe\Security\InheritedPermissions; +use SilverStripe\Security\Member; /** * @skipUpgrade @@ -187,4 +193,39 @@ public function testLazyLoading() $this->assertStringNotContainsString('loading="lazy"', $parser->parse($shortcode)); }); } + + public function testRegenerateShortcode() + { + $assetStore = Injector::inst()->get(AssetStore::class); + $member = Member::create(); + $member->write(); + // Logout first to throw away the existing session which may have image grants. + $this->logOut(); + $this->logInAs($member); + // image is in protected asset store + $image = $this->objFromFixture(Image::class, 'imageWithTitle'); + $image->CanViewType = InheritedPermissions::ONLY_THESE_USERS; + $image->write(); + $url = $image->getUrl(false); + $args = [ + 'id' => $image->ID, + 'src' => $url, + 'width' => '550', + 'height' => '366', + 'class' => 'leftAlone ss-htmleditorfield-file image', + ]; + $shortHash = substr($image->getHash(), 0, 10); + $expected = implode(' ', [ + '[image id="' . $image->ID . '" src="/assets/folder/' . $shortHash . '/test-image.png" width="550"', + 'height="366" class="leftAlone ss-htmleditorfield-file image"]' + ]); + $parsedFileID = new ParsedFileID($image->getFilename(), $image->getHash()); + $html = ImageShortcodeProvider::regenerate_shortcode($args, '', '', 'image'); + $this->assertSame($expected, $html); + $this->assertFalse($assetStore->isGranted($parsedFileID)); + Config::modify()->set(FileShortcodeProvider::class, 'allow_session_grant', true); + $html = ImageShortcodeProvider::regenerate_shortcode($args, '', '', 'image'); + $this->assertSame($expected, $html); + $this->assertTrue($assetStore->isGranted($parsedFileID)); + } }