email: check the owner when set as primary (#5988)

* email: check the owner when set as primary

Fixes a security issue reported by muxishuihan.

* Update CHANGELOG

5 files changed, 11 insertions, 6 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 96688511..7f961255 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -37,6 +37,7 @@ All notable changes to Gogs are documented in this file.
 
 - [Security] Potential open redirection with i18n.
 - [Security] Potential ability to delete files outside a repository.
+- [Security] Potential ability to set primary email on others' behalf from their verified emails.
 - [Security] Potential RCE on mirror repositories. [#5767](https://github.com/gogs/gogs/issues/5767)
 - [Security] Potential XSS attack with raw markdown API. [#5907](https://github.com/gogs/gogs/pull/5907)
 - Open/close milestone redirects to a 404 page. [#5677](https://github.com/gogs/gogs/issues/5677)
diff --git a/Makefile b/Makefile
index c9473f0a..9eaddb20 100644
--- a/Makefile
+++ b/Makefile
@@ -42,7 +42,7 @@ pack:
 
 release: build pack
 
-generate: $(ASSETS_GENERATED)
+generate: clean $(ASSETS_GENERATED)
 
 internal/assets/conf/conf_gen.go: $(CONF_FILES)
 	-rm -f $@
@@ -59,7 +59,7 @@ internal/assets/public/public_gen.go: $(PUBLIC_FILES)
 	go generate internal/assets/public/public.go
 	gofmt -s -w $@
 
-less: public/css/gogs.min.css
+less: clean public/css/gogs.min.css
 
 public/css/gogs.min.css: $(LESS_FILES)
 	@type lessc >/dev/null 2>&1 && lessc --clean-css --source-map "public/less/gogs.less" $@ || echo "lessc command not found or failed"
diff --git a/internal/assets/public/public_gen.go b/internal/assets/public/public_gen.go
index 9bb4572f..8d7bfd11 100644
--- a/internal/assets/public/public_gen.go
+++ b/internal/assets/public/public_gen.go
@@ -1722,7 +1722,7 @@ func cssGogsMinCss() (*asset, error) {
 		return nil, err
 	}
 
-	info := bindataFileInfo{name: "css/gogs.min.css", size: 64378, mode: os.FileMode(0644), modTime: time.Unix(1584214336, 0)}
+	info := bindataFileInfo{name: "css/gogs.min.css", size: 64378, mode: os.FileMode(0644), modTime: time.Unix(1584215361, 0)}
 	a := &asset{bytes: bytes, info: info, digest: [32]uint8{0xd9, 0x49, 0xa9, 0x99, 0x79, 0x58, 0x26, 0xec, 0xaa, 0x9, 0x5a, 0x24, 0x6, 0x69, 0x2e, 0xe0, 0x3a, 0xb1, 0x53, 0xc4, 0x42, 0x72, 0x4d, 0xe0, 0x67, 0x6d, 0xae, 0x6c, 0x8f, 0xc4, 0x27, 0x27}}
 	return a, nil
 }
@@ -1742,7 +1742,7 @@ func cssGogsMinCssMap() (*asset, error) {
 		return nil, err
 	}
 
-	info := bindataFileInfo{name: "css/gogs.min.css.map", size: 22926, mode: os.FileMode(0644), modTime: time.Unix(1584214336, 0)}
+	info := bindataFileInfo{name: "css/gogs.min.css.map", size: 22926, mode: os.FileMode(0644), modTime: time.Unix(1584215361, 0)}
 	a := &asset{bytes: bytes, info: info, digest: [32]uint8{0x46, 0x89, 0xb2, 0x95, 0x91, 0xfb, 0x5c, 0xda, 0xff, 0x63, 0x54, 0xc5, 0x91, 0xbf, 0x7a, 0x5a, 0xb5, 0x3d, 0xf, 0xf, 0x84, 0x41, 0x2d, 0xc3, 0x18, 0xf5, 0x74, 0xd7, 0xa9, 0x84, 0x70, 0xce}}
 	return a, nil
 }
diff --git a/internal/db/user_mail.go b/internal/db/user_mail.go
index 440de084..37f0c2c0 100644
--- a/internal/db/user_mail.go
+++ b/internal/db/user_mail.go
@@ -160,7 +160,7 @@ func DeleteEmailAddresses(emails []*EmailAddress) (err error) {
 	return nil
 }
 
-func MakeEmailPrimary(email *EmailAddress) error {
+func MakeEmailPrimary(userID int64, email *EmailAddress) error {
 	has, err := x.Get(email)
 	if err != nil {
 		return err
@@ -168,6 +168,10 @@ func MakeEmailPrimary(email *EmailAddress) error {
 		return errors.EmailNotFound{Email: email.Email}
 	}
 
+	if email.UID != userID {
+		return errors.New("not the owner of the email")
+	}
+
 	if !email.IsActivated {
 		return errors.EmailNotVerified{Email: email.Email}
 	}
diff --git a/internal/route/user/setting.go b/internal/route/user/setting.go
index c61309c2..f09e4034 100644
--- a/internal/route/user/setting.go
+++ b/internal/route/user/setting.go
@@ -237,7 +237,7 @@ func SettingsEmailPost(c *context.Context, f form.AddEmail) {
 
 	// Make emailaddress primary.
 	if c.Query("_method") == "PRIMARY" {
-		if err := db.MakeEmailPrimary(&db.EmailAddress{ID: c.QueryInt64("id")}); err != nil {
+		if err := db.MakeEmailPrimary(c.UserID(), &db.EmailAddress{ID: c.QueryInt64("id")}); err != nil {
 			c.ServerError("MakeEmailPrimary", err)
 			return
 		}