mirror of https://github.com/MISP/MISP
fix: [security] Password confirmation bypass in user edit
- optional password confirmation can be potentially circumvented - fooling the user edit via a request that sets accept:application/json whilst posting form content - as reported by Dawid Czarnecki of Zigrin Security on behalf of the Luxembourg Armypull/8063/merge
parent
ce6bc88e33
commit
01120163a6
|
@ -154,7 +154,7 @@ class UsersController extends AppController
|
|||
}
|
||||
}
|
||||
}
|
||||
if (!$abortPost && !$this->_isRest()) {
|
||||
if (!$abortPost && (!$this->_isRest() || empty($this->request->header('Authorization')))) {
|
||||
if (Configure::read('Security.require_password_confirmation')) {
|
||||
if (!empty($this->request->data['User']['current_password'])) {
|
||||
$hashed = $this->User->verifyPassword($this->Auth->user('id'), $this->request->data['User']['current_password']);
|
||||
|
@ -853,7 +853,7 @@ class UsersController extends AppController
|
|||
$this->request->data['User'] = $this->request->data;
|
||||
}
|
||||
$abortPost = false;
|
||||
if (!$this->_isRest()) {
|
||||
if (!$this->_isRest() || empty($this->request->header('Authorization'))) {
|
||||
if (Configure::read('Security.require_password_confirmation')) {
|
||||
if (!empty($this->request->data['User']['current_password'])) {
|
||||
$hashed = $this->User->verifyPassword($this->Auth->user('id'), $this->request->data['User']['current_password']);
|
||||
|
|
Loading…
Reference in New Issue