mirror of https://github.com/MISP/MISP
fix: [vulnerability] Fixes a vulnerability where a user can view sightings that they should not be eligible for
- requires access to the event that has received the sighting - affects instances with restrictive sighting settings (event only / sighting reported only) - as reported by Tyler McLellan of CanCyber.orgpull/4249/head
parent
f13b664563
commit
c69969329d
|
@ -341,22 +341,72 @@ class SightingsController extends AppController
|
|||
'contain' => array('Organisation.name'),
|
||||
'order' => array('Sighting.date_sighting DESC')
|
||||
));
|
||||
if (!empty($sightings) && empty(Configure::read('Plugin.Sightings_policy')) && !$this->_isSiteAdmin()) {
|
||||
$eventOwnerOrgIdList = array();
|
||||
foreach ($sightings as $k => $sighting) {
|
||||
if (empty($eventOwnerOrgIdList[$sighting['Sighting']['event_id']])) {
|
||||
$temp_event = $this->Event->find('first', array(
|
||||
'recursive' => -1,
|
||||
'conditions' => array('Event.id' => $sighting['Sighting']['event_id']),
|
||||
'fields' => array('Event.id', 'Event.orgc_id')
|
||||
));
|
||||
$eventOwnerOrgIdList[$temp_event['Event']['id']] = $temp_event['Event']['orgc_id'];
|
||||
}
|
||||
if (empty($eventOwnerOrgIdList[$sighting['Sighting']['event_id']]) || $eventOwnerOrgIdList[$sighting['Sighting']['event_id']] !== $this->Auth->user('org_id')) {
|
||||
unset($sightings[$k]);
|
||||
}
|
||||
}
|
||||
$sightings = array_values($sightings);
|
||||
} else if (!empty($sightings) && Configure::read('Plugin.Sightings_policy') == 1 && !$this->_isSiteAdmin()) {
|
||||
$eventsWithOwnSightings = array();
|
||||
foreach ($sightings as $k => $sighting) {
|
||||
if (empty($eventsWithOwnSightings[$sighting['Sighting']['event_id']])) {
|
||||
$eventsWithOwnSightings[$sighting['Sighting']['event_id']] = false;
|
||||
$sighting_temp = $this->Sighting->find('first', array(
|
||||
'recursive' => -1,
|
||||
'conditions' => array(
|
||||
'Sighting.event_id' => $sighting['Sighting']['event_id'],
|
||||
'Sighting.org_id' => $this->Auth->user('org_id')
|
||||
)
|
||||
));
|
||||
if (empty($sighting_temp)) {
|
||||
$temp_event = $this->Event->find('first', array(
|
||||
'recursive' => -1,
|
||||
'conditions' => array(
|
||||
'Event.id' => $sighting['Sighting']['event_id'],
|
||||
'Event.orgc_id' => $this->Auth->user('org_id')
|
||||
),
|
||||
'fields' => array('Event.id', 'Event.orgc_id')
|
||||
));
|
||||
$eventsWithOwnSightings[$sighting['Sighting']['event_id']] = !empty($temp_event);
|
||||
} else {
|
||||
$eventsWithOwnSightings[$sighting['Sighting']['event_id']] = true;
|
||||
}
|
||||
}
|
||||
if (!$eventsWithOwnSightings[$sighting['Sighting']['event_id']]) {
|
||||
unset($sightings[$k]);
|
||||
}
|
||||
}
|
||||
$sightings = array_values($sightings);
|
||||
}
|
||||
$this->set('org_id', $org_id);
|
||||
$this->set('rawId', $rawId);
|
||||
$this->set('context', $context);
|
||||
$this->set('types', array('Sighting', 'False-positive', 'Expiration'));
|
||||
if (Configure::read('Plugin.Sightings_anonymise') && !$this->_isSiteAdmin()) {
|
||||
foreach ($sightings as $k => $v) {
|
||||
if ($v['Sighting']['org_id'] != $this->Auth->user('org_id')) {
|
||||
$sightings[$k]['Organisation']['name'] = '';
|
||||
$sightings[$k]['Sighting']['org_id'] = 0;
|
||||
if (!empty($sightings)) {
|
||||
foreach ($sightings as $k => $v) {
|
||||
if ($v['Sighting']['org_id'] != $this->Auth->user('org_id')) {
|
||||
$sightings[$k]['Organisation']['name'] = '';
|
||||
$sightings[$k]['Sighting']['org_id'] = 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
if ($this->_isRest()) {
|
||||
return $this->RestResponse->viewData($sightings, $this->response->type());
|
||||
}
|
||||
$this->set('sightings', $sightings);
|
||||
$this->set('sightings', empty($sightings) ? array() : $sightings);
|
||||
$this->layout = false;
|
||||
$this->render('ajax/list_sightings');
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue