From 82ff0c5852f29daa5f95d965fd50665581e7ea3c Mon Sep 17 00:00:00 2001 From: ᴜɴᴋɴᴡᴏɴ Date: Sun, 15 Mar 2020 18:58:56 +0800 Subject: email: check the owner when set as primary (#5988) * email: check the owner when set as primary Fixes a security issue reported by muxishuihan. * Update CHANGELOG --- internal/assets/public/public_gen.go | 4 ++-- internal/db/user_mail.go | 6 +++++- internal/route/user/setting.go | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) (limited to 'internal') diff --git a/internal/assets/public/public_gen.go b/internal/assets/public/public_gen.go index 9bb4572f..8d7bfd11 100644 --- a/internal/assets/public/public_gen.go +++ b/internal/assets/public/public_gen.go @@ -1722,7 +1722,7 @@ func cssGogsMinCss() (*asset, error) { return nil, err } - info := bindataFileInfo{name: "css/gogs.min.css", size: 64378, mode: os.FileMode(0644), modTime: time.Unix(1584214336, 0)} + info := bindataFileInfo{name: "css/gogs.min.css", size: 64378, mode: os.FileMode(0644), modTime: time.Unix(1584215361, 0)} a := &asset{bytes: bytes, info: info, digest: [32]uint8{0xd9, 0x49, 0xa9, 0x99, 0x79, 0x58, 0x26, 0xec, 0xaa, 0x9, 0x5a, 0x24, 0x6, 0x69, 0x2e, 0xe0, 0x3a, 0xb1, 0x53, 0xc4, 0x42, 0x72, 0x4d, 0xe0, 0x67, 0x6d, 0xae, 0x6c, 0x8f, 0xc4, 0x27, 0x27}} return a, nil } @@ -1742,7 +1742,7 @@ func cssGogsMinCssMap() (*asset, error) { return nil, err } - info := bindataFileInfo{name: "css/gogs.min.css.map", size: 22926, mode: os.FileMode(0644), modTime: time.Unix(1584214336, 0)} + info := bindataFileInfo{name: "css/gogs.min.css.map", size: 22926, mode: os.FileMode(0644), modTime: time.Unix(1584215361, 0)} a := &asset{bytes: bytes, info: info, digest: [32]uint8{0x46, 0x89, 0xb2, 0x95, 0x91, 0xfb, 0x5c, 0xda, 0xff, 0x63, 0x54, 0xc5, 0x91, 0xbf, 0x7a, 0x5a, 0xb5, 0x3d, 0xf, 0xf, 0x84, 0x41, 0x2d, 0xc3, 0x18, 0xf5, 0x74, 0xd7, 0xa9, 0x84, 0x70, 0xce}} return a, nil } diff --git a/internal/db/user_mail.go b/internal/db/user_mail.go index 440de084..37f0c2c0 100644 --- a/internal/db/user_mail.go +++ b/internal/db/user_mail.go @@ -160,7 +160,7 @@ func DeleteEmailAddresses(emails []*EmailAddress) (err error) { return nil } -func MakeEmailPrimary(email *EmailAddress) error { +func MakeEmailPrimary(userID int64, email *EmailAddress) error { has, err := x.Get(email) if err != nil { return err @@ -168,6 +168,10 @@ func MakeEmailPrimary(email *EmailAddress) error { return errors.EmailNotFound{Email: email.Email} } + if email.UID != userID { + return errors.New("not the owner of the email") + } + if !email.IsActivated { return errors.EmailNotVerified{Email: email.Email} } diff --git a/internal/route/user/setting.go b/internal/route/user/setting.go index c61309c2..f09e4034 100644 --- a/internal/route/user/setting.go +++ b/internal/route/user/setting.go @@ -237,7 +237,7 @@ func SettingsEmailPost(c *context.Context, f form.AddEmail) { // Make emailaddress primary. if c.Query("_method") == "PRIMARY" { - if err := db.MakeEmailPrimary(&db.EmailAddress{ID: c.QueryInt64("id")}); err != nil { + if err := db.MakeEmailPrimary(c.UserID(), &db.EmailAddress{ID: c.QueryInt64("id")}); err != nil { c.ServerError("MakeEmailPrimary", err) return } -- cgit v1.2.3