From 9030b95d7932bc814f357ba161449b3bd3e5fecb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aliz=C3=A9e=20Wickenheiser?= Date: Mon, 28 May 2018 10:31:46 -0400 Subject: [PATCH] [media] Unathenticated viewing private data fix (#3657) * # This is a combination of 3 commits. # This is the 1st commit message: fixing sql injection fixing sql injection Remove debugging line Use ?? idiom replacement # This is the commit message #2: remove variable that was used for debugging # This is the commit message #3: update comment to PHP 7 * remove isset because using ?? idiom * Cleanup variables not used and added logging with error message for user * fix error message to display * fix table name containing back ticks in database * Using DB excape results in back ticks and need to be stripped * remove debugging echo code * function viewData() created and handles showing data with permission check * revert changes to bugfix as was on wrong branch * move function down * travis cleanup * spaces cleanup --- modules/media/ajax/FileUpload.php | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/modules/media/ajax/FileUpload.php b/modules/media/ajax/FileUpload.php index a29213932be..c23cd9d7133 100644 --- a/modules/media/ajax/FileUpload.php +++ b/modules/media/ajax/FileUpload.php @@ -16,7 +16,7 @@ if (isset($_GET['action'])) { $action = $_GET['action']; if ($action == "getData") { - echo json_encode(getUploadFields()); + viewData(); } else if ($action == "upload") { uploadFile(); } else if ($action == "edit") { @@ -178,6 +178,21 @@ function uploadFile() } } +/** + * Handles the media view data process + * + * @return void + */ +function viewData() +{ + $user =& User::singleton(); + if (!$user->hasPermission('media_read')) { + header("HTTP/1.1 403 Forbidden"); + exit; + } + echo json_encode(getUploadFields()); +} + /** * Returns a list of fields from database *