Public_Tools/wavelog
2
0
Fork 0
mirror of https://github.com/wavelog/wavelog.git synced 2026-03-22 10:24:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fixes a security-issue with the INTERNAL lookup-API

Browse Source
This commit is contained in:
int2001
2024-09-20 16:06:46 +00:00
parent 45e7207101
commit 8195325cdd
2 changed files with 11 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
application/controllers/Api.php
View File

@@ -604,6 +604,7 @@ class API extends CI_Controller {
// Make sure users logged in
$raw_input = json_decode(file_get_contents("php://input"), true);
$user_id='';
$this->load->model('user_model');
if (!( $this->user_model->authorize($this->config->item('auth_mode') ))) { // User not authorized?
$no_auth=true;
@@ -612,14 +613,20 @@ class API extends CI_Controller {
$no_auth=true;
} else {
$no_auth=false;
$user_id=$this->api_model->key_userid($raw_input['key']);
}
if ($no_auth) {
http_response_code(401);
echo json_encode(['status' => 'failed', 'reason' => "missing api key or session"]);
die();
}
} else {
$user_id=$this->session->userdata('user_id');
}
$this->load->model('stations');
$station_ids=$this->stations->all_station_ids_of_user($user_id);
$lookup_callsign = strtoupper($raw_input['callsign'] ?? '');
if ($lookup_callsign ?? '' != '') {
@@ -710,7 +717,7 @@ class API extends CI_Controller {
* Pool any local data we have for a callsign
*
*/
$call_lookup_results = $this->logbook_model->call_lookup_result($lookup_callsign);
$call_lookup_results = $this->logbook_model->call_lookup_result($lookup_callsign, $station_ids);
if($call_lookup_results != null)
{
@@ -723,6 +730,7 @@ class API extends CI_Controller {
$return['us_county'] = $call_lookup_results->COL_CNTY;
$return['dxcc_id'] = $call_lookup_results->COL_DXCC;
$return['cont'] = $call_lookup_results->COL_CONT;
$return['wworked_before'] = true;
if ($return['gridsquare'] != "") {
$return['latlng'] = $this->qralatlng($return['gridsquare']);

3
application/models/Logbook_model.php
View File

@@ -1460,8 +1460,9 @@ class Logbook_model extends CI_Model {
* Usage: Callsign lookup data for the QSO panel and API/callsign_lookup
*
*/
function call_lookup_result($callsign) {
function call_lookup_result($callsign, $station_ids) {
$this->db->select('COL_CALL, COL_NAME, COL_QSL_VIA, COL_GRIDSQUARE, COL_QTH, COL_IOTA, COL_TIME_ON, COL_STATE, COL_CNTY, COL_DXCC, COL_CONT');
$this->db->where('station_id', $station_ids);
$this->db->where('COL_CALL', $callsign);
$where = "COL_NAME != \"\"";