From 061756732357206f2f13bf39a0676dd266ec9586 Mon Sep 17 00:00:00 2001
From: Marcus Schwemer <marcus.schwemer@in2code.de>
Date: Fri, 2 Aug 2024 19:14:57 +0200
Subject: [PATCH] [SECURITY] Prevent information disclosure of records

With a crafted url for the confirmation action, it was
possible to reveal form data of already persisted emails.

This behavior is mitigated with a check, whether the email
was already persisted or not.  If it is already persisted,
the request ist forwarded to the main form.
---
 Classes/Controller/FormController.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Classes/Controller/FormController.php b/Classes/Controller/FormController.php
index 956391bb3..d15f71856 100644
--- a/Classes/Controller/FormController.php
+++ b/Classes/Controller/FormController.php
@@ -123,6 +123,9 @@ public function initializeConfirmationAction(): void
      */
     public function confirmationAction(Mail $mail): void
     {
+        if ($mail->getUid() !== null) {
+            $this->forward('form');
+        }
         $this->signalDispatch(__CLASS__, __FUNCTION__ . 'BeforeRenderView', [$mail, $this]);
         /** @noinspection PhpUnhandledExceptionInspection */
         $this->dataProcessorRunner->callDataProcessors(