MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

fix: [security] Check permission when viewing shadow attribute picture

pull/7686/head
Jakub Onderka 2021-08-23 16:25:07 +02:00
parent 439ec5cceb
commit 038eb20da9
1 changed files with 1 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
app/Controller/ShadowAttributesController.php
View File

@ -832,17 +832,10 @@ class ShadowAttributesController extends AppController
public function viewPicture($id, $thumbnail=false)
{
$conditions = $this->ShadowAttribute->buildConditions($this->Auth->user());
$conditions['ShadowAttribute.id'] = $id;
$conditions['ShadowAttribute.type'] = 'attachment';
$options = array(
'conditions' => $conditions,
'includeAllTags' => false,
'includeAttributeUuid' => true,
'flatten' => true,
'deleted' => [0, 1]
);
$sa = $this->ShadowAttribute->find('first', array(
'recursive' => -1,
'contain' => ['Event', 'Attribute'], // required because of conditions