From d5d0ad50fa33eb9e0fff32c24a0ce65f03bbc352 Mon Sep 17 00:00:00 2001 From: Ileana Maricel Barrionuevo Date: Wed, 21 Jul 2021 22:08:41 -0300 Subject: [PATCH 01/11] Fixed security issue: a user could edit others' shelves. --- cps/shelf.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cps/shelf.py b/cps/shelf.py index 431eeff8..9556ba66 100644 --- a/cps/shelf.py +++ b/cps/shelf.py @@ -235,6 +235,8 @@ def create_shelf(): @login_required def edit_shelf(shelf_id): shelf = ub.session.query(ub.Shelf).filter(ub.Shelf.id == shelf_id).first() + if not shelf.user_id == int(current_user.id): + return "Sorry you are not allowed to edit this shelf", 403 return create_edit_shelf(shelf, title=_(u"Edit a shelf"), page="shelfedit", shelf_id=shelf_id) From c8ebaee0f76d5b404cd2d5fd17df9f27795abc49 Mon Sep 17 00:00:00 2001 From: Ileana Maricel Barrionuevo Date: Thu, 22 Jul 2021 00:41:07 -0300 Subject: [PATCH 02/11] Security fix improved: user should not edit other shelve's titles --- cps/shelf.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/cps/shelf.py b/cps/shelf.py index 9556ba66..229eaade 100644 --- a/cps/shelf.py +++ b/cps/shelf.py @@ -235,8 +235,9 @@ def create_shelf(): @login_required def edit_shelf(shelf_id): shelf = ub.session.query(ub.Shelf).filter(ub.Shelf.id == shelf_id).first() - if not shelf.user_id == int(current_user.id): - return "Sorry you are not allowed to edit this shelf", 403 + if not check_shelf_edit_permissions(shelf): + flash(_(u"Sorry you are not allowed to edit this shelf: "),category="error") + return redirect(url_for('web.index')) return create_edit_shelf(shelf, title=_(u"Edit a shelf"), page="shelfedit", shelf_id=shelf_id) From 59881367fe199f8a1b661dc78c312fccf9e1eadf Mon Sep 17 00:00:00 2001 From: Ileana Maricel Barrionuevo Date: Thu, 22 Jul 2021 01:05:11 -0300 Subject: [PATCH 03/11] Security fixes: Report 85176e1f-7920-4824-87ea-8eb5b5e505e0: Exposure of Private Personal Information to an Unauthorized Actor in janeczku/calibre-web --- cps/shelf.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/cps/shelf.py b/cps/shelf.py index 229eaade..8ec4da45 100644 --- a/cps/shelf.py +++ b/cps/shelf.py @@ -72,10 +72,9 @@ def add_to_shelf(shelf_id, book_id): if not check_shelf_edit_permissions(shelf): if not xhr: - flash(_(u"Sorry you are not allowed to add a book to the the shelf: %(shelfname)s", shelfname=shelf.name), - category="error") + flash(_(u"Sorry you are not allowed to add a book to the the shelf"), category="error") return redirect(url_for('web.index')) - return "Sorry you are not allowed to add a book to the the shelf: %s" % shelf.name, 403 + return "Sorry you are not allowed to add a book to the that shelf", 403 book_in_shelf = ub.session.query(ub.BookShelf).filter(ub.BookShelf.shelf == shelf_id, ub.BookShelf.book_id == book_id).first() @@ -236,7 +235,7 @@ def create_shelf(): def edit_shelf(shelf_id): shelf = ub.session.query(ub.Shelf).filter(ub.Shelf.id == shelf_id).first() if not check_shelf_edit_permissions(shelf): - flash(_(u"Sorry you are not allowed to edit this shelf: "),category="error") + flash(_(u"Sorry you are not allowed to edit this shelf"), category="error") return redirect(url_for('web.index')) return create_edit_shelf(shelf, title=_(u"Edit a shelf"), page="shelfedit", shelf_id=shelf_id) From 3c8bfc31e4ac53c64281e4b62ba66f96620ccdc1 Mon Sep 17 00:00:00 2001 From: Ozzie Isaacs Date: Fri, 23 Jul 2021 19:34:46 +0200 Subject: [PATCH 04/11] fix change name allowd as non admin --- cps/templates/user_edit.html | 58 ++++++++++++++++++------------------ cps/web.py | 15 +++++----- 2 files changed, 37 insertions(+), 36 deletions(-) diff --git a/cps/templates/user_edit.html b/cps/templates/user_edit.html index cc83a1b5..6fb30fc3 100644 --- a/cps/templates/user_edit.html +++ b/cps/templates/user_edit.html @@ -67,15 +67,14 @@ {% endif %}
- {% for element in sidebar %} - {% if element['config_show'] %} -
- - -
- {% endif %} - {% endfor %} - + {% for element in sidebar %} + {% if element['config_show'] %} +
+ + +
+ {% endif %} + {% endfor %}
@@ -84,6 +83,7 @@ {{_('Add Allowed/Denied Tags')}} {{_('Add allowed/Denied Custom Column Values')}} {% endif %} +
{% if g.user and g.user.role_admin() and not profile %} @@ -131,32 +131,32 @@
{% endif %} -
-
{{_('Save')}}
- {% if not profile %} -
{{_('Cancel')}}
- {% endif %} - {% if g.user and g.user.role_admin() and not profile and not new_user and not content.role_anonymous() %} -
{{_('Delete User')}}
- {% endif %} +
+
{{_('Save')}}
+ {% if not profile %} +
{{_('Cancel')}}
+ {% endif %} + {% if g.user and g.user.role_admin() and not profile and not new_user and not content.role_anonymous() %} +
{{_('Delete User')}}
+ {% endif %}
-