From b4c794058aa57426679877444b52561e7e16ef2b Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Thu, 15 Dec 2016 16:49:06 +0800 Subject: [PATCH] fixed vulnerabilities (#392) --- models/token.go | 13 ++++++++++--- models/user_mail.go | 31 ++++++++++++++++++++++++------- routers/api/v1/user/email.go | 1 + routers/user/setting.go | 4 ++-- 4 files changed, 37 insertions(+), 12 deletions(-) diff --git a/models/token.go b/models/token.go index 03ea554fbb2d..6b2898a49d4e 100644 --- a/models/token.go +++ b/models/token.go @@ -88,7 +88,14 @@ func UpdateAccessToken(t *AccessToken) error { } // DeleteAccessTokenByID deletes access token by given ID. -func DeleteAccessTokenByID(id int64) error { - _, err := x.Id(id).Delete(new(AccessToken)) - return err +func DeleteAccessTokenByID(id, userID int64) error { + cnt, err := x.Id(id).Delete(&AccessToken{ + UID: userID, + }) + if err != nil { + return err + } else if cnt != 1 { + return ErrAccessTokenNotExist{} + } + return nil } diff --git a/models/user_mail.go b/models/user_mail.go index 69f87c2b3727..49d1bf78b2b3 100644 --- a/models/user_mail.go +++ b/models/user_mail.go @@ -5,10 +5,16 @@ package models import ( + "errors" "fmt" "strings" ) +var ( + // ErrEmailAddressNotExist email address not exist + ErrEmailAddressNotExist = errors.New("Email address does not exist") +) + // EmailAddress is the list of all email addresses of a user. Can contain the // primary email address, but is not obligatory. type EmailAddress struct { @@ -139,14 +145,25 @@ func (email *EmailAddress) Activate() error { // DeleteEmailAddress deletes an email address of given user. func DeleteEmailAddress(email *EmailAddress) (err error) { - if email.ID > 0 { - _, err = x.Id(email.ID).Delete(new(EmailAddress)) - } else { - _, err = x. - Where("email=?", email.Email). - Delete(new(EmailAddress)) + var deleted int64 + // ask to check UID + var address = EmailAddress{ + UID: email.UID, } - return err + if email.ID > 0 { + deleted, err = x.Id(email.ID).Delete(&address) + } else { + deleted, err = x. + Where("email=?", email.Email). + Delete(&address) + } + + if err != nil { + return err + } else if deleted != 1 { + return ErrEmailAddressNotExist + } + return nil } // DeleteEmailAddresses deletes multiple email addresses diff --git a/routers/api/v1/user/email.go b/routers/api/v1/user/email.go index f42fc11cf65a..0d83aa38c118 100644 --- a/routers/api/v1/user/email.go +++ b/routers/api/v1/user/email.go @@ -73,6 +73,7 @@ func DeleteEmail(ctx *context.APIContext, form api.CreateEmailOption) { for i := range form.Emails { emails[i] = &models.EmailAddress{ Email: form.Emails[i], + UID: ctx.User.ID, } } diff --git a/routers/user/setting.go b/routers/user/setting.go index 1d405fba375e..bbb4d99c0238 100644 --- a/routers/user/setting.go +++ b/routers/user/setting.go @@ -287,7 +287,7 @@ func SettingsEmailPost(ctx *context.Context, form auth.AddEmailForm) { // DeleteEmail response for delete user's email func DeleteEmail(ctx *context.Context) { - if err := models.DeleteEmailAddress(&models.EmailAddress{ID: ctx.QueryInt64("id")}); err != nil { + if err := models.DeleteEmailAddress(&models.EmailAddress{ID: ctx.QueryInt64("id"), UID: ctx.User.ID}); err != nil { ctx.Handle(500, "DeleteEmail", err) return } @@ -422,7 +422,7 @@ func SettingsApplicationsPost(ctx *context.Context, form auth.NewAccessTokenForm // SettingsDeleteApplication response for delete user access token func SettingsDeleteApplication(ctx *context.Context) { - if err := models.DeleteAccessTokenByID(ctx.QueryInt64("id")); err != nil { + if err := models.DeleteAccessTokenByID(ctx.QueryInt64("id"), ctx.User.ID); err != nil { ctx.Flash.Error("DeleteAccessTokenByID: " + err.Error()) } else { ctx.Flash.Success(ctx.Tr("settings.delete_token_success"))