Ensure the private message recipient is valid in Mail::send

- Arbitrary input could be used to circumvent most restrictions regarding recipients (except contact relationship)
This commit is contained in:
Hypolite Petovan 2022-02-22 10:44:30 -05:00
parent b24fe917e4
commit 1d779c6193
2 changed files with 36 additions and 36 deletions

View File

@ -51,7 +51,7 @@ class ACL
* @return string * @return string
* @throws \Exception * @throws \Exception
*/ */
public static function getMessageContactSelectHTML(int $selected = null) public static function getMessageContactSelectHTML(int $selected = null): string
{ {
$o = ''; $o = '';
@ -62,25 +62,7 @@ class ACL
$page->registerStylesheet(Theme::getPathForFile('js/friendica-tagsinput/friendica-tagsinput.css')); $page->registerStylesheet(Theme::getPathForFile('js/friendica-tagsinput/friendica-tagsinput.css'));
$page->registerStylesheet(Theme::getPathForFile('js/friendica-tagsinput/friendica-tagsinput-typeahead.css')); $page->registerStylesheet(Theme::getPathForFile('js/friendica-tagsinput/friendica-tagsinput-typeahead.css'));
$condition = [ $contacts = self::getValidMessageRecipientsForUser(local_user());
'uid' => local_user(),
'self' => false,
'blocked' => false,
'pending' => false,
'archive' => false,
'deleted' => false,
'rel' => [Contact::FOLLOWER, Contact::SHARING, Contact::FRIEND],
'network' => Protocol::SUPPORT_PRIVATE,
];
$contacts = Contact::selectToArray(
['id', 'name', 'addr', 'micro'],
DBA::mergeConditions($condition, ["`notify` != ''"])
);
$arr = ['contact' => $contacts, 'entry' => $o];
Hook::callAll(DI::args()->getModuleName() . '_pre_recipient', $arr);
$tpl = Renderer::getMarkupTemplate('acl/message_recipient.tpl'); $tpl = Renderer::getMarkupTemplate('acl/message_recipient.tpl');
$o = Renderer::replaceMacros($tpl, [ $o = Renderer::replaceMacros($tpl, [
@ -93,6 +75,25 @@ class ACL
return $o; return $o;
} }
public static function getValidMessageRecipientsForUser(int $uid): array
{
$condition = [
'uid' => $uid,
'self' => false,
'blocked' => false,
'pending' => false,
'archive' => false,
'deleted' => false,
'rel' => [Contact::FOLLOWER, Contact::SHARING, Contact::FRIEND],
'network' => Protocol::SUPPORT_PRIVATE,
];
return Contact::selectToArray(
['id', 'name', 'addr', 'micro', 'url', 'nick'],
DBA::mergeConditions($condition, ["`notify` != ''"])
);
}
/** /**
* Returns a minimal ACL block for self-only permissions * Returns a minimal ACL block for self-only permissions
* *

View File

@ -21,6 +21,7 @@
namespace Friendica\Model; namespace Friendica\Model;
use Friendica\Core\ACL;
use Friendica\Core\Logger; use Friendica\Core\Logger;
use Friendica\Core\System; use Friendica\Core\System;
use Friendica\Core\Worker; use Friendica\Core\Worker;
@ -39,10 +40,12 @@ class Mail
* Insert private message * Insert private message
* *
* @param array $msg * @param array $msg
* @param bool $notifiction * @param bool $notification
* @return int|boolean Message ID or false on error * @return int|boolean Message ID or false on error
* @throws \Friendica\Network\HTTPException\InternalServerErrorException
* @throws \ImagickException
*/ */
public static function insert($msg, $notifiction = true) public static function insert($msg, $notification = true)
{ {
if (!isset($msg['reply'])) { if (!isset($msg['reply'])) {
$msg['reply'] = DBA::exists('mail', ['parent-uri' => $msg['parent-uri']]); $msg['reply'] = DBA::exists('mail', ['parent-uri' => $msg['parent-uri']]);
@ -92,7 +95,7 @@ class Mail
DBA::update('conv', ['updated' => DateTimeFormat::utcNow()], ['id' => $msg['convid']]); DBA::update('conv', ['updated' => DateTimeFormat::utcNow()], ['id' => $msg['convid']]);
} }
if ($notifiction) { if ($notification) {
$user = User::getById($msg['uid']); $user = User::getById($msg['uid']);
// send notifications. // send notifications.
$notif_params = [ $notif_params = [
@ -139,11 +142,15 @@ class Mail
return -2; return -2;
} }
$contact = DBA::selectFirst('contact', [], ['id' => $recipient, 'uid' => local_user()]); $contacts = ACL::getValidMessageRecipientsForUser(local_user());
if (!DBA::isResult($contact)) {
$contactIndex = array_search($recipient, array_column($contacts, 'id'));
if ($contactIndex === false) {
return -2; return -2;
} }
$contact = $contacts[$contactIndex];
Photo::setPermissionFromBody($body, local_user(), $me['id'], '<' . $contact['id'] . '>', '', '', ''); Photo::setPermissionFromBody($body, local_user(), $me['id'], '<' . $contact['id'] . '>', '', '', '');
$guid = System::createUUID(); $guid = System::createUUID();
@ -167,20 +174,12 @@ class Mail
$convuri = ''; $convuri = '';
if (!$convid) { if (!$convid) {
// create a new conversation // create a new conversation
$recip_host = substr($contact['url'], strpos($contact['url'], '://') + 3);
$recip_host = substr($recip_host, 0, strpos($recip_host, '/'));
$recip_handle = (($contact['addr']) ? $contact['addr'] : $contact['nick'] . '@' . $recip_host);
$sender_handle = $a->getLoggedInUserNickname() . '@' . substr(DI::baseUrl(), strpos(DI::baseUrl(), '://') + 3);
$conv_guid = System::createUUID(); $conv_guid = System::createUUID();
$convuri = $recip_handle . ':' . $conv_guid; $convuri = $contact['addr'] . ':' . $conv_guid;
$handles = $recip_handle . ';' . $sender_handle; $fields = ['uid' => local_user(), 'guid' => $conv_guid, 'creator' => $me['addr'],
$fields = ['uid' => local_user(), 'guid' => $conv_guid, 'creator' => $sender_handle,
'created' => DateTimeFormat::utcNow(), 'updated' => DateTimeFormat::utcNow(), 'created' => DateTimeFormat::utcNow(), 'updated' => DateTimeFormat::utcNow(),
'subject' => $subject, 'recips' => $handles]; 'subject' => $subject, 'recips' => $contact['addr'] . ';' . $me['addr']];
if (DBA::insert('conv', $fields)) { if (DBA::insert('conv', $fields)) {
$convid = DBA::lastInsertId(); $convid = DBA::lastInsertId();
} }