From 8e75f0826f6ebad2cb69eaceb437a6b3a0ef359a Mon Sep 17 00:00:00 2001
From: iglocska <andras.iklody@gmail.com>
Date: Thu, 19 Sep 2013 17:28:55 +0200
Subject: [PATCH] Security fix and new download attachment feature

- users can now download attachments using the APIkey

- security issue fixed where a user could download attachments that he/she can't even see by navigating to attributes/download/<attribute_id>
---
 app/Controller/AttributesController.php | 47 ++++++++++++++++++++-----
 1 file changed, 38 insertions(+), 9 deletions(-)

diff --git a/app/Controller/AttributesController.php b/app/Controller/AttributesController.php
index 8a73a776a..2d4b0ac30 100755
--- a/app/Controller/AttributesController.php
+++ b/app/Controller/AttributesController.php
@@ -24,6 +24,7 @@ class AttributesController extends AppController {
 		
 		$this->Auth->allow('restSearch');
 		$this->Auth->allow('returnAttributes');
+		$this->Auth->allow('downloadAttachment');
 
 		// permit reuse of CSRF tokens on the search page.
 		if ('search' == $this->request->params['action']) {
@@ -249,17 +250,28 @@ class AttributesController extends AppController {
 		if (!$this->Attribute->exists()) {
 			throw new NotFoundException(__('Invalid attribute'));
 		}
-
 		$this->Attribute->read();
-		$path = "files" . DS . $this->Attribute->data['Attribute']['event_id'] . DS;
-		$file = $this->Attribute->data['Attribute']['id'];
+		if (!$this->_isSiteAdmin() && 
+			$this->Auth->user('org') != 
+			$this->Attribute->data['Event']['org'] && 
+			($this->Attribute->data['Event']['distribution'] == 0 || 
+				$this->Attribute->data['Attribute']['distribution'] == 0
+			)) {
+			throw new UnauthorizedException('You do not have the permission to view this event.');
+		}
+		$this->__downloadAttachment($this->Attribute->data['Attribute']);
+	}
+	
+	private function __downloadAttachment($attribute) {
+		$path = "files" . DS . $attribute['event_id'] . DS;
+		$file = $attribute['id'];
 		$filename = '';
-		if ('attachment' == $this->Attribute->data['Attribute']['type']) {
-			$filename = $this->Attribute->data['Attribute']['value'];
+		if ('attachment' == $attribute['type']) {
+			$filename = $attribute['value'];
 			$fileExt = pathinfo($filename, PATHINFO_EXTENSION);
 			$filename = substr($filename, 0, strlen($filename) - strlen($fileExt) - 1);
-		} elseif ('malware-sample' == $this->Attribute->data['Attribute']['type']) {
-			$filenameHash = explode('|', $this->Attribute->data['Attribute']['value']);
+		} elseif ('malware-sample' == $attribute['type']) {
+			$filenameHash = explode('|', $attribute['value']);
 			$filename = $filenameHash[0];
 			$filename = substr($filenameHash[0], strrpos($filenameHash[0], '\\'));
 			$fileExt = "zip";
@@ -1126,6 +1138,8 @@ class AttributesController extends AppController {
 	// The signature flag is off by default, enabling it will only return attribugtes that have the to_ids flag set to true.
 	public function returnAttributes($key, $id, $type = null, $sigOnly = false) {
 		$user = $this->checkAuthUser($key);
+		// if the user is authorised to use the api key then user will be populated with the user's account
+		// in addition we also set a flag indicating whether the user is a site admin or not.
 		if (!$user) {
 			throw new UnauthorizedException('This authentication key is not authorized to be used for exports. Contact your administrator.');
 		}
@@ -1199,9 +1213,24 @@ class AttributesController extends AppController {
 			// If after all of this $contained is still true, let's add the attribute to the array
 			if ($contained) $attributes[] = $attribute;
 		}
-
 		$this->set('results', $attributes);
 	}
 	
-	
+	public function downloadAttachment($key, $id) {
+		$user = $this->checkAuthUser($key);
+		// if the user is authorised to use the api key then user will be populated with the user's account
+		// in addition we also set a flag indicating whether the user is a site admin or not.
+		if (!$user) {
+			throw new UnauthorizedException('This authentication key is not authorized to be used for exports. Contact your administrator.');
+		}
+		$this->Attribute->read(null, $id);
+		if (!$user['User']['siteAdmin'] && 
+			$user['User']['org'] != $this->Attribute->data['Event']['org'] && 
+			($this->Attribute->data['Event']['distribution'] == 0 || 
+				$this->Attribute->data['Attribute']['distribution'] == 0
+			)) {
+			throw new UnauthorizedException('You do not have the permission to view this event.');
+		}
+		$this->__downloadAttachment($this->Attribute->data['Attribute']);
+	}
 }