[media] Unathenticated viewing private data fix (#3657)

* # This is a combination of 3 commits. # This is the 1st commit message: fixing sql injection fixing sql injection Remove debugging line Use ?? idiom replacement # This is the commit message #2: remove variable that was used for debugging # This is the commit message #3: update comment to PHP 7 * remove isset because using ?? idiom * Cleanup variables not used and added logging with error message for user * fix error message to display * fix table name containing back ticks in database * Using DB excape results in back ticks and need to be stripped * remove debugging echo code * function viewData() created and handles showing data with permission check * revert changes to bugfix as was on wrong branch * move function down * travis cleanup * spaces cleanup
aces · May 28, 2018 · 9030b95 · 9030b95
1 parent 193e2f4
commit 9030b95
Showing 1 changed file with 16 additions and 1 deletion.
diff --git a/modules/media/ajax/FileUpload.php b/modules/media/ajax/FileUpload.php
@@ -16,7 +16,7 @@
 if (isset($_GET['action'])) {
     $action = $_GET['action'];
     if ($action == "getData") {
-        echo json_encode(getUploadFields());
+        viewData();
     } else if ($action == "upload") {
         uploadFile();
     } else if ($action == "edit") {
@@ -178,6 +178,21 @@ function uploadFile()
     }
 }
 
+/**
+ * Handles the media view data process
+ *
+ * @return void
+ */
+function viewData()
+{
+    $user =& User::singleton();
+    if (!$user->hasPermission('media_read')) {
+        header("HTTP/1.1 403 Forbidden");
+        exit;
+    }
+    echo json_encode(getUploadFields());
+}
+
 /**
  * Returns a list of fields from database
  *