From 93a6e106629c3e80eeb87a2db4e1e9cd76e98d5e Mon Sep 17 00:00:00 2001 From: int2001 Date: Fri, 20 Feb 2026 13:43:13 +0000 Subject: [PATCH] URGENT: Securityfix for new API --- application/controllers/Api.php | 6 ++++++ application/models/Logbooks_model.php | 7 +++++++ 2 files changed, 13 insertions(+) diff --git a/application/controllers/Api.php b/application/controllers/Api.php index 418149602..16420d378 100644 --- a/application/controllers/Api.php +++ b/application/controllers/Api.php @@ -747,6 +747,7 @@ class API extends CI_Controller { echo json_encode(['status' => 'failed', 'reason' => "missing api key"]); die(); } + $api_user_id = $this->api_model->key_userid($obj['key']); if(!isset($obj['logbook_public_slug'])) { http_response_code(400); echo json_encode(['status' => 'failed', 'reason' => "missing fields"]); @@ -765,6 +766,11 @@ class API extends CI_Controller { $cnfm = null; } $this->load->model('logbooks_model'); + if(!$this->logbooks_model->public_slug_belongs_to_user($logbook_slug, $api_user_id)) { + http_response_code(403); + echo json_encode(['status' => 'failed', 'reason' => "logbook does not belong to this api key"]); + die(); + } if($this->logbooks_model->public_slug_exists($logbook_slug)) { $logbook_id = $this->logbooks_model->public_slug_exists_logbook_id($logbook_slug); if($logbook_id != false) diff --git a/application/models/Logbooks_model.php b/application/models/Logbooks_model.php index df69861ec..b114c2139 100644 --- a/application/models/Logbooks_model.php +++ b/application/models/Logbooks_model.php @@ -188,6 +188,13 @@ class Logbooks_model extends CI_Model { } } + function public_slug_belongs_to_user($slug, $user_id) { + $this->db->where('public_slug', $this->security->xss_clean($slug)); + $this->db->where('user_id', $user_id); + $query = $this->db->get('station_logbooks'); + return $query->num_rows() > 0; + } + function is_public_slug_available($slug) { // Clean public_slug $clean_slug = $this->security->xss_clean($slug);