MirrorMirror
/
lufi
mirror of https://framagit.org/fiat-tux/hat-softwares/lufi.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

🔒 Fix unauthorized manipulations of invitations (#254)

This commit is contained in:
Luc Didry 2021-11-03 09:12:14 +01:00
parent e32ef3685f
commit ff9b320347
No known key found for this signature in database
GPG Key ID: EA868E12D0257E3C
5 changed files with 110 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG
View File

@ -5,6 +5,7 @@ Revision history for Lufi
- 💄 Disable signature when using LDAP (#249) - 💄 Disable signature when using LDAP (#249)
- 🌐 Update translations - 🌐 Update translations
- 🔒 Fix XSS where using zip feature (#254) - 🔒 Fix XSS where using zip feature (#254)
- 🔒 Fix unauthorized manipulations of invitations (#254)
0.05.14 2021-06-16 0.05.14 2021-06-16
- 🔧 Set default morbo port to 3000 (as it should have stay) - 🔧 Set default morbo port to 3000 (as it should have stay)

106
lib/Lufi/Controller/Invitation.pm
View File

@ -122,61 +122,79 @@ sub delete_invitations {
my $c = shift; my $c = shift;
my @tokens = @{$c->every_param('tokens[]')}; my @tokens = @{$c->every_param('tokens[]')};
my @result = (); if ($c->is_user_authenticated) {
for my $token (@tokens) { my @result = ();
my $i = Lufi::DB::Invitation->new(app => $c->app) my @failures = ();
->from_token($token) for my $token (@tokens) {
->deleted(1) my $i = Lufi::DB::Invitation->new(app => $c->app)
->write; ->from_token($token);
push @result, { msg => $c->l('The invitation %1 has been deleted.', $i->token), token => $i->token, deleted => $i->deleted }; if ($i->ldap_user eq $c->current_user->{username}) {
} $i->deleted(1)
->write;
push @result, { msg => $c->l('The invitation %1 has been deleted.', $i->token), token => $i->token, deleted => $i->deleted };
} else {
push @failures, $c->l('The invitation %1 cant be deleted: it wasnt created by you (%2).', $i->token, $c->current_user->{username});
}
}
$c->render(json => { $c->render(json => {
success => true, success => (scalar(@result) > 0) ? true : false,
tokens => \@result tokens => \@result,
}); failures => \@failures
});
} else {
$c->redirect_to($c->url_for('login')->query(redirect => 'my_invitations'));
}
} }
sub resend_invitations { sub resend_invitations {
my $c = shift; my $c = shift;
my @tokens = @{$c->every_param('tokens[]')}; my @tokens = @{$c->every_param('tokens[]')};
my @success; if ($c->is_user_authenticated) {
my @failures; my @success = ();
for my $token (@tokens) { my @failures = ();
my $i = Lufi::DB::Invitation->new(app => $c->app) for my $token (@tokens) {
->from_token($token); my $i = Lufi::DB::Invitation->new(app => $c->app)
->from_token($token);
if ($i->files_sent_at) { if ($i->ldap_user eq $c->current_user->{username}) {
push @failures, $c->l('The invitation %1 cant be resent: %2 has already sent files.<br>Please create a new invitation.', $i->token, $i->guest_mail); if ($i->files_sent_at) {
} else { push @failures, $c->l('The invitation %1 cant be resent: %2 has already sent files.<br>Please create a new invitation.', $i->token, $i->guest_mail);
if ($c->config('invitations')->{'extend_invitation_expiration_on_resend'}) { } else {
$i->expire_at(time + $i->expire_at - $i->created_at) if ($c->config('invitations')->{'extend_invitation_expiration_on_resend'}) {
->write; $i->expire_at(time + $i->expire_at - $i->created_at)
->write;
}
my $from = ($c->config('invitations')->{'send_invitation_with_ldap_user_mail'}) ? $i->ldap_user_mail : $c->config('mail_sender');
my $url = $c->url_for('guest', token => $i->token)->to_abs;
my $expire = $c->get_date_lang()->time2str($c->l('%A %d %B %Y at %T'), $i->expire_at);
$c->mail(
from => $from,
to => $i->guest_mail,
template => 'invitations/invite',
format => 'mail',
ldap_user => ucfirst($i->ldap_user),
url => $url,
invitation => $i,
expires => $expire
);
push @success, { msg => $c->l('Invitation resent to %1.<br> URL: %2', $i->guest_mail, $url), expires => $expire, token => $i->token };
}
} else {
push @failures, $c->l('The invitation %1 cant be resent: it wasnt created by you (%2).', $i->token, $c->current_user->{username});
} }
my $from = ($c->config('invitations')->{'send_invitation_with_ldap_user_mail'}) ? $i->ldap_user_mail : $c->config('mail_sender');
my $url = $c->url_for('guest', token => $i->token)->to_abs;
my $expire = $c->get_date_lang()->time2str($c->l('%A %d %B %Y at %T'), $i->expire_at);
$c->mail(
from => $from,
to => $i->guest_mail,
template => 'invitations/invite',
format => 'mail',
ldap_user => ucfirst($i->ldap_user),
url => $url,
invitation => $i,
expires => $expire
);
push @success, { msg => $c->l('Invitation resent to %1.<br> URL: %2', $i->guest_mail, $url), expires => $expire, token => $i->token };
} }
}
$c->render(json => { $c->render(json => {
success => \@success, success => \@success,
failures => \@failures failures => \@failures
}); });
} else {
$c->redirect_to($c->url_for('login')->query(redirect => 'my_invitations'));
}
} }
sub toggle_invitations_visibility { sub toggle_invitations_visibility {

28
themes/default/lib/Lufi/I18N/en.po
View File

@ -41,7 +41,7 @@ msgstr "%1 sent you files"
msgid "%1 used your invitation to send you files:" msgid "%1 used your invitation to send you files:"
msgstr "%1 used your invitation to send you files:" msgstr "%1 used your invitation to send you files:"
#: lib/Lufi/Controller/Invitation.pm:160 lib/Lufi/Controller/Invitation.pm:85 themes/default/templates/invitations/my_invitations.html.ep:51 themes/default/templates/invitations/my_invitations.html.ep:52 themes/default/templates/invitations/my_invitations.html.ep:53 themes/default/templates/invitations/notification_files_sent.mail.ep:12 #: lib/Lufi/Controller/Invitation.pm:172 lib/Lufi/Controller/Invitation.pm:85 themes/default/templates/invitations/my_invitations.html.ep:51 themes/default/templates/invitations/my_invitations.html.ep:52 themes/default/templates/invitations/my_invitations.html.ep:53 themes/default/templates/invitations/notification_files_sent.mail.ep:12
msgid "%A %d %B %Y at %T" msgid "%A %d %B %Y at %T"
msgstr "%A %d %B %Y at %T" msgstr "%A %d %B %Y at %T"
@ -364,7 +364,7 @@ msgid "Invert selection"
msgstr "Invert selection" msgstr "Invert selection"
#. ($i->guest_mail, $url) #. ($i->guest_mail, $url)
#: lib/Lufi/Controller/Invitation.pm:172 #: lib/Lufi/Controller/Invitation.pm:184
msgid "Invitation resent to %1.<br> URL: %2" msgid "Invitation resent to %1.<br> URL: %2"
msgstr "Invitation resent to %1.<br> URL: %2" msgstr "Invitation resent to %1.<br> URL: %2"
@ -505,11 +505,11 @@ msgstr "Send all links by email"
msgid "Send the invitation" msgid "Send the invitation"
msgstr "Send the invitation" msgstr "Send the invitation"
#: themes/default/templates/mail.html.ep:46 #: themes/default/templates/mail.html.ep:47
msgid "Send with this server" msgid "Send with this server"
msgstr "Send with this server" msgstr "Send with this server"
#: themes/default/templates/mail.html.ep:47 #: themes/default/templates/mail.html.ep:49
msgid "Send with your own mail software" msgid "Send with your own mail software"
msgstr "Send with your own mail software" msgstr "Send with your own mail software"
@ -518,7 +518,7 @@ msgid "Sending part XX1 of XX2. Please, be patient, the progress bar can take a
msgstr "Sending part XX1 of XX2. Please, be patient, the progress bar can take a while to move." msgstr "Sending part XX1 of XX2. Please, be patient, the progress bar can take a while to move."
#. (url_for('/') #. (url_for('/')
#: themes/default/templates/partial/mail.js.ep:48 #: themes/default/templates/partial/mail.js.ep:49
msgid "Share your files in total privacy on %1" msgid "Share your files in total privacy on %1"
msgstr "Share your files in total privacy on %1" msgstr "Share your files in total privacy on %1"
@ -534,7 +534,7 @@ msgstr "Show zip content"
msgid "Signin" msgid "Signin"
msgstr "Signin" msgstr "Signin"
#: lib/Lufi/Controller/Invitation.pm:284 themes/default/templates/invitations/exception.html.ep:16 #: lib/Lufi/Controller/Invitation.pm:302 themes/default/templates/invitations/exception.html.ep:16
msgid "Sorry, the invitation doesnt exist. Are you sure you are on the right URL?" msgid "Sorry, the invitation doesnt exist. Are you sure you are on the right URL?"
msgstr "Sorry, the invitation doesnt exist. Are you sure you are on the right URL?" msgstr "Sorry, the invitation doesnt exist. Are you sure you are on the right URL?"
@ -556,7 +556,7 @@ msgid "Sorry, your invitation has expired or has been deleted. Please contact %1
msgstr "Sorry, your invitation has expired or has been deleted. Please contact %1 to have another invitation." msgstr "Sorry, your invitation has expired or has been deleted. Please contact %1 to have another invitation."
#. ($invitation->ldap_user_mail) #. ($invitation->ldap_user_mail)
#: lib/Lufi/Controller/Invitation.pm:277 #: lib/Lufi/Controller/Invitation.pm:295
msgid "The URLs of your files have been sent by email to %1." msgid "The URLs of your files have been sent by email to %1."
msgstr "The URLs of your files have been sent by email to %1." msgstr "The URLs of your files have been sent by email to %1."
@ -603,13 +603,23 @@ msgstr "The following email addresses are not valid: %1"
msgid "The guest email address (%1) is unvalid." msgid "The guest email address (%1) is unvalid."
msgstr "The guest email address (%1) is unvalid." msgstr "The guest email address (%1) is unvalid."
#. ($i->token, $c->current_user->{username})
#: lib/Lufi/Controller/Invitation.pm:136
msgid "The invitation %1 cant be deleted: it wasnt created by you (%2)."
msgstr "The invitation %1 cant be deleted: it wasnt created by you (%2)."
#. ($i->token, $i->guest_mail) #. ($i->token, $i->guest_mail)
#: lib/Lufi/Controller/Invitation.pm:151 #: lib/Lufi/Controller/Invitation.pm:163
msgid "The invitation %1 cant be resent: %2 has already sent files.<br>Please create a new invitation." msgid "The invitation %1 cant be resent: %2 has already sent files.<br>Please create a new invitation."
msgstr "The invitation %1 cant be resent: %2 has already sent files.<br>Please create a new invitation." msgstr "The invitation %1 cant be resent: %2 has already sent files.<br>Please create a new invitation."
#. ($i->token, $c->current_user->{username})
#: lib/Lufi/Controller/Invitation.pm:187
msgid "The invitation %1 cant be resent: it wasnt created by you (%2)."
msgstr "The invitation %1 cant be resent: it wasnt created by you (%2)."
#. ($i->token) #. ($i->token)
#: lib/Lufi/Controller/Invitation.pm:131 #: lib/Lufi/Controller/Invitation.pm:134
msgid "The invitation %1 has been deleted." msgid "The invitation %1 has been deleted."
msgstr "The invitation %1 has been deleted." msgstr "The invitation %1 has been deleted."

28
themes/default/lib/Lufi/I18N/lufi.pot
View File

@ -41,7 +41,7 @@ msgstr ""
msgid "%1 used your invitation to send you files:" msgid "%1 used your invitation to send you files:"
msgstr "" msgstr ""
#: lib/Lufi/Controller/Invitation.pm:160 lib/Lufi/Controller/Invitation.pm:85 themes/default/templates/invitations/my_invitations.html.ep:51 themes/default/templates/invitations/my_invitations.html.ep:52 themes/default/templates/invitations/my_invitations.html.ep:53 themes/default/templates/invitations/notification_files_sent.mail.ep:12 #: lib/Lufi/Controller/Invitation.pm:172 lib/Lufi/Controller/Invitation.pm:85 themes/default/templates/invitations/my_invitations.html.ep:51 themes/default/templates/invitations/my_invitations.html.ep:52 themes/default/templates/invitations/my_invitations.html.ep:53 themes/default/templates/invitations/notification_files_sent.mail.ep:12
msgid "%A %d %B %Y at %T" msgid "%A %d %B %Y at %T"
msgstr "" msgstr ""
@ -364,7 +364,7 @@ msgid "Invert selection"
msgstr "" msgstr ""
#. ($i->guest_mail, $url) #. ($i->guest_mail, $url)
#: lib/Lufi/Controller/Invitation.pm:172 #: lib/Lufi/Controller/Invitation.pm:184
msgid "Invitation resent to %1.<br> URL: %2" msgid "Invitation resent to %1.<br> URL: %2"
msgstr "" msgstr ""
@ -505,11 +505,11 @@ msgstr ""
msgid "Send the invitation" msgid "Send the invitation"
msgstr "" msgstr ""
#: themes/default/templates/mail.html.ep:46 #: themes/default/templates/mail.html.ep:47
msgid "Send with this server" msgid "Send with this server"
msgstr "" msgstr ""
#: themes/default/templates/mail.html.ep:47 #: themes/default/templates/mail.html.ep:49
msgid "Send with your own mail software" msgid "Send with your own mail software"
msgstr "" msgstr ""
@ -518,7 +518,7 @@ msgid "Sending part XX1 of XX2. Please, be patient, the progress bar can take a
msgstr "" msgstr ""
#. (url_for('/') #. (url_for('/')
#: themes/default/templates/partial/mail.js.ep:48 #: themes/default/templates/partial/mail.js.ep:49
msgid "Share your files in total privacy on %1" msgid "Share your files in total privacy on %1"
msgstr "" msgstr ""
@ -534,7 +534,7 @@ msgstr ""
msgid "Signin" msgid "Signin"
msgstr "" msgstr ""
#: lib/Lufi/Controller/Invitation.pm:284 themes/default/templates/invitations/exception.html.ep:16 #: lib/Lufi/Controller/Invitation.pm:302 themes/default/templates/invitations/exception.html.ep:16
msgid "Sorry, the invitation doesnt exist. Are you sure you are on the right URL?" msgid "Sorry, the invitation doesnt exist. Are you sure you are on the right URL?"
msgstr "" msgstr ""
@ -556,7 +556,7 @@ msgid "Sorry, your invitation has expired or has been deleted. Please contact %1
msgstr "" msgstr ""
#. ($invitation->ldap_user_mail) #. ($invitation->ldap_user_mail)
#: lib/Lufi/Controller/Invitation.pm:277 #: lib/Lufi/Controller/Invitation.pm:295
msgid "The URLs of your files have been sent by email to %1." msgid "The URLs of your files have been sent by email to %1."
msgstr "" msgstr ""
@ -603,13 +603,23 @@ msgstr ""
msgid "The guest email address (%1) is unvalid." msgid "The guest email address (%1) is unvalid."
msgstr "" msgstr ""
#. ($i->token, $c->current_user->{username})
#: lib/Lufi/Controller/Invitation.pm:136
msgid "The invitation %1 cant be deleted: it wasnt created by you (%2)."
msgstr ""
#. ($i->token, $i->guest_mail) #. ($i->token, $i->guest_mail)
#: lib/Lufi/Controller/Invitation.pm:151 #: lib/Lufi/Controller/Invitation.pm:163
msgid "The invitation %1 cant be resent: %2 has already sent files.<br>Please create a new invitation." msgid "The invitation %1 cant be resent: %2 has already sent files.<br>Please create a new invitation."
msgstr "" msgstr ""
#. ($i->token, $c->current_user->{username})
#: lib/Lufi/Controller/Invitation.pm:187
msgid "The invitation %1 cant be resent: it wasnt created by you (%2)."
msgstr ""
#. ($i->token) #. ($i->token)
#: lib/Lufi/Controller/Invitation.pm:131 #: lib/Lufi/Controller/Invitation.pm:134
msgid "The invitation %1 has been deleted." msgid "The invitation %1 has been deleted."
msgstr "" msgstr ""

10
themes/default/public/js/lufi-list-invitations.js
View File

@ -44,9 +44,17 @@ function deleteInvit(e) {
Materialize.toast(t.msg, 6000, 'teal accent-3'); Materialize.toast(t.msg, 6000, 'teal accent-3');
$('#row-' + t.token).remove(); $('#row-' + t.token).remove();
}); });
data.failures.forEach(function(msg) {
Materialize.toast(msg, 10000, 'red accent-2');
});
disableButtons(); disableButtons();
} else { } else {
Materialize.toast(data.msg, 10000, 'red accent-2'); data.failures.forEach(function(msg) {
Materialize.toast(msg, 10000, 'red accent-2');
});
if (data.msg) {
Materialize.toast(data.msg, 10000, 'red accent-2');
}
} }
} }
}); });