Public_Tools/wavelog
2
0
Fork 0
mirror of https://github.com/wavelog/wavelog.git synced 2026-03-22 10:24:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

URGENT: Securityfix for new API

Browse Source
This commit is contained in:
int2001
2026-02-20 13:43:13 +00:00
parent 42a4924313
commit 93a6e10662
2 changed files with 13 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
application/controllers/Api.php
View File

@@ -747,6 +747,7 @@ class API extends CI_Controller {
echo json_encode(['status' => 'failed', 'reason' => "missing api key"]); echo json_encode(['status' => 'failed', 'reason' => "missing api key"]);
die(); die();
} }
$api_user_id = $this->api_model->key_userid($obj['key']);
if(!isset($obj['logbook_public_slug'])) { if(!isset($obj['logbook_public_slug'])) {
http_response_code(400); http_response_code(400);
echo json_encode(['status' => 'failed', 'reason' => "missing fields"]); echo json_encode(['status' => 'failed', 'reason' => "missing fields"]);
@@ -765,6 +766,11 @@ class API extends CI_Controller {
$cnfm = null; $cnfm = null;
} }
$this->load->model('logbooks_model'); $this->load->model('logbooks_model');
if(!$this->logbooks_model->public_slug_belongs_to_user($logbook_slug, $api_user_id)) {
http_response_code(403);
echo json_encode(['status' => 'failed', 'reason' => "logbook does not belong to this api key"]);
die();
}
if($this->logbooks_model->public_slug_exists($logbook_slug)) { if($this->logbooks_model->public_slug_exists($logbook_slug)) {
$logbook_id = $this->logbooks_model->public_slug_exists_logbook_id($logbook_slug); $logbook_id = $this->logbooks_model->public_slug_exists_logbook_id($logbook_slug);
if($logbook_id != false) if($logbook_id != false)

7
application/models/Logbooks_model.php
View File

@@ -188,6 +188,13 @@ class Logbooks_model extends CI_Model {
} }
} }
function public_slug_belongs_to_user($slug, $user_id) {
$this->db->where('public_slug', $this->security->xss_clean($slug));
$this->db->where('user_id', $user_id);
$query = $this->db->get('station_logbooks');
return $query->num_rows() > 0;
}
function is_public_slug_available($slug) { function is_public_slug_available($slug) {
// Clean public_slug // Clean public_slug
$clean_slug = $this->security->xss_clean($slug); $clean_slug = $this->security->xss_clean($slug);