From 82ff0c5852f29daa5f95d965fd50665581e7ea3c Mon Sep 17 00:00:00 2001
From: ᴜɴᴋɴᴡᴏɴ <u@gogs.io>
Date: Sun, 15 Mar 2020 18:58:56 +0800
Subject: email: check the owner when set as primary (#5988)

* email: check the owner when set as primary

Fixes a security issue reported by muxishuihan.

* Update CHANGELOG
---
 internal/assets/public/public_gen.go | 4 ++--
 internal/db/user_mail.go             | 6 +++++-
 internal/route/user/setting.go       | 2 +-
 3 files changed, 8 insertions(+), 4 deletions(-)

(limited to 'internal')

diff --git a/internal/assets/public/public_gen.go b/internal/assets/public/public_gen.go
index 9bb4572f..8d7bfd11 100644
--- a/internal/assets/public/public_gen.go
+++ b/internal/assets/public/public_gen.go
@@ -1722,7 +1722,7 @@ func cssGogsMinCss() (*asset, error) {
 		return nil, err
 	}
 
-	info := bindataFileInfo{name: "css/gogs.min.css", size: 64378, mode: os.FileMode(0644), modTime: time.Unix(1584214336, 0)}
+	info := bindataFileInfo{name: "css/gogs.min.css", size: 64378, mode: os.FileMode(0644), modTime: time.Unix(1584215361, 0)}
 	a := &asset{bytes: bytes, info: info, digest: [32]uint8{0xd9, 0x49, 0xa9, 0x99, 0x79, 0x58, 0x26, 0xec, 0xaa, 0x9, 0x5a, 0x24, 0x6, 0x69, 0x2e, 0xe0, 0x3a, 0xb1, 0x53, 0xc4, 0x42, 0x72, 0x4d, 0xe0, 0x67, 0x6d, 0xae, 0x6c, 0x8f, 0xc4, 0x27, 0x27}}
 	return a, nil
 }
@@ -1742,7 +1742,7 @@ func cssGogsMinCssMap() (*asset, error) {
 		return nil, err
 	}
 
-	info := bindataFileInfo{name: "css/gogs.min.css.map", size: 22926, mode: os.FileMode(0644), modTime: time.Unix(1584214336, 0)}
+	info := bindataFileInfo{name: "css/gogs.min.css.map", size: 22926, mode: os.FileMode(0644), modTime: time.Unix(1584215361, 0)}
 	a := &asset{bytes: bytes, info: info, digest: [32]uint8{0x46, 0x89, 0xb2, 0x95, 0x91, 0xfb, 0x5c, 0xda, 0xff, 0x63, 0x54, 0xc5, 0x91, 0xbf, 0x7a, 0x5a, 0xb5, 0x3d, 0xf, 0xf, 0x84, 0x41, 0x2d, 0xc3, 0x18, 0xf5, 0x74, 0xd7, 0xa9, 0x84, 0x70, 0xce}}
 	return a, nil
 }
diff --git a/internal/db/user_mail.go b/internal/db/user_mail.go
index 440de084..37f0c2c0 100644
--- a/internal/db/user_mail.go
+++ b/internal/db/user_mail.go
@@ -160,7 +160,7 @@ func DeleteEmailAddresses(emails []*EmailAddress) (err error) {
 	return nil
 }
 
-func MakeEmailPrimary(email *EmailAddress) error {
+func MakeEmailPrimary(userID int64, email *EmailAddress) error {
 	has, err := x.Get(email)
 	if err != nil {
 		return err
@@ -168,6 +168,10 @@ func MakeEmailPrimary(email *EmailAddress) error {
 		return errors.EmailNotFound{Email: email.Email}
 	}
 
+	if email.UID != userID {
+		return errors.New("not the owner of the email")
+	}
+
 	if !email.IsActivated {
 		return errors.EmailNotVerified{Email: email.Email}
 	}
diff --git a/internal/route/user/setting.go b/internal/route/user/setting.go
index c61309c2..f09e4034 100644
--- a/internal/route/user/setting.go
+++ b/internal/route/user/setting.go
@@ -237,7 +237,7 @@ func SettingsEmailPost(c *context.Context, f form.AddEmail) {
 
 	// Make emailaddress primary.
 	if c.Query("_method") == "PRIMARY" {
-		if err := db.MakeEmailPrimary(&db.EmailAddress{ID: c.QueryInt64("id")}); err != nil {
+		if err := db.MakeEmailPrimary(c.UserID(), &db.EmailAddress{ID: c.QueryInt64("id")}); err != nil {
 			c.ServerError("MakeEmailPrimary", err)
 			return
 		}
-- 
cgit v1.2.3