Merge pull request #10113 from MrPetovan/bug/10110-userexport-security

Prevent settings/userexport to be used by anonymous users
This commit is contained in:
Tobias Diekershoff 2021-04-02 07:44:01 +02:00 committed by GitHub
commit bbe567a9c8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -30,6 +30,7 @@ use Friendica\DI;
use Friendica\Model\Item; use Friendica\Model\Item;
use Friendica\Model\Post; use Friendica\Model\Post;
use Friendica\Module\BaseSettings; use Friendica\Module\BaseSettings;
use Friendica\Network\HTTPException;
/** /**
* Module to export user data * Module to export user data
@ -46,9 +47,18 @@ class UserExport extends BaseSettings
* *
* If there is an action required through the URL / path, react * If there is an action required through the URL / path, react
* accordingly and export the requested data. * accordingly and export the requested data.
**/ *
* @param array $parameters Router-supplied parameters
* @return string
* @throws HTTPException\ForbiddenException
* @throws HTTPException\InternalServerErrorException
*/
public static function content(array $parameters = []) public static function content(array $parameters = [])
{ {
if (!local_user()) {
throw new HTTPException\ForbiddenException(DI::l10n()->t('Permission denied.'));
}
parent::content($parameters); parent::content($parameters);
/** /**
@ -68,14 +78,22 @@ class UserExport extends BaseSettings
'$options' => $options '$options' => $options
]); ]);
} }
/** /**
* raw content generated for the different choices made * raw content generated for the different choices made
* by the user. At the moment this returns a JSON file * by the user. At the moment this returns a JSON file
* to the browser which then offers a save / open dialog * to the browser which then offers a save / open dialog
* to the user. * to the user.
**/ *
* @param array $parameters Router-supplied parameters
* @throws HTTPException\ForbiddenException
*/
public static function rawContent(array $parameters = []) public static function rawContent(array $parameters = [])
{ {
if (!local_user() || !empty(DI::app()->user['uid']) && DI::app()->user['uid'] != local_user()) {
throw new HTTPException\ForbiddenException(DI::l10n()->t('Permission denied.'));
}
$args = DI::args(); $args = DI::args();
if ($args->getArgc() == 3) { if ($args->getArgc() == 3) {
// @TODO Replace with router-provided arguments // @TODO Replace with router-provided arguments
@ -85,26 +103,29 @@ class UserExport extends BaseSettings
case "backup": case "backup":
header("Content-type: application/json"); header("Content-type: application/json");
header('Content-Disposition: attachment; filename="' . $user['nickname'] . '.' . $action . '"'); header('Content-Disposition: attachment; filename="' . $user['nickname'] . '.' . $action . '"');
self::exportAll(DI::app()); self::exportAll(local_user());
exit();
break; break;
case "account": case "account":
header("Content-type: application/json"); header("Content-type: application/json");
header('Content-Disposition: attachment; filename="' . $user['nickname'] . '.' . $action . '"'); header('Content-Disposition: attachment; filename="' . $user['nickname'] . '.' . $action . '"');
self::exportAccount(DI::app()); self::exportAccount(local_user());
exit();
break; break;
case "contact": case "contact":
header("Content-type: application/csv"); header("Content-type: application/csv");
header('Content-Disposition: attachment; filename="' . $user['nickname'] . '-contacts.csv'. '"'); header('Content-Disposition: attachment; filename="' . $user['nickname'] . '-contacts.csv' . '"');
self::exportContactsAsCSV(); self::exportContactsAsCSV(local_user());
exit();
break; break;
default: }
exit(); exit();
} }
} }
}
/**
* @param string $query
* @return array
* @throws \Exception
*/
private static function exportMultiRow(string $query) private static function exportMultiRow(string $query)
{ {
$dbStructure = DBStructure::definition(DI::app()->getBasePath(), false); $dbStructure = DBStructure::definition(DI::app()->getBasePath(), false);
@ -132,6 +153,11 @@ class UserExport extends BaseSettings
return $result; return $result;
} }
/**
* @param string $query
* @return array
* @throws \Exception
*/
private static function exportRow(string $query) private static function exportRow(string $query)
{ {
$dbStructure = DBStructure::definition(DI::app()->getBasePath(), false); $dbStructure = DBStructure::definition(DI::app()->getBasePath(), false);
@ -142,12 +168,12 @@ class UserExport extends BaseSettings
$result = []; $result = [];
$r = q($query); $r = q($query);
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
foreach ($r as $rr) { foreach ($r as $rr) {
foreach ($rr as $k => $v) { foreach ($rr as $k => $v) {
if (empty($dbStructure[$table]['fields'][$k])) { if (empty($dbStructure[$table]['fields'][$k])) {
continue; continue;
} }
switch ($dbStructure[$table]['fields'][$k]['type']) { switch ($dbStructure[$table]['fields'][$k]['type']) {
case 'datetime': case 'datetime':
$result[$k] = $v ?? DBA::NULL_DATETIME; $result[$k] = $v ?? DBA::NULL_DATETIME;
@ -159,59 +185,76 @@ class UserExport extends BaseSettings
} }
} }
} }
return $result; return $result;
} }
/** /**
* Export a list of the contacts as CSV file as e.g. Mastodon and Pleroma are doing. * Export a list of the contacts as CSV file as e.g. Mastodon and Pleroma are doing.
**/ *
private static function exportContactsAsCSV() * @param int $user_id
* @throws \Exception
*/
private static function exportContactsAsCSV(int $user_id)
{ {
if (!$user_id) {
throw new \RuntimeException(DI::l10n()->t('Permission denied.'));
}
// write the table header (like Mastodon) // write the table header (like Mastodon)
echo "Account address, Show boosts\n"; echo "Account address, Show boosts\n";
// get all the contacts // get all the contacts
$contacts = DBA::select('contact', ['addr', 'url'], ['uid' => $_SESSION['uid'], 'self' => false, 'rel' => [1,3], 'deleted' => false]); $contacts = DBA::select('contact', ['addr', 'url'], ['uid' => $user_id, 'self' => false, 'rel' => [1, 3], 'deleted' => false]);
while ($contact = DBA::fetch($contacts)) { while ($contact = DBA::fetch($contacts)) {
echo ($contact['addr'] ?: $contact['url']) . ", true\n"; echo ($contact['addr'] ?: $contact['url']) . ", true\n";
} }
DBA::close($contacts); DBA::close($contacts);
} }
private static function exportAccount(App $a)
/**
* @param int $user_id
* @throws \Exception
*/
private static function exportAccount(int $user_id)
{ {
if (!$user_id) {
throw new \RuntimeException(DI::l10n()->t('Permission denied.'));
}
$user = self::exportRow( $user = self::exportRow(
sprintf("SELECT * FROM `user` WHERE `uid` = %d LIMIT 1", intval(local_user())) sprintf("SELECT * FROM `user` WHERE `uid` = %d LIMIT 1", $user_id)
); );
$contact = self::exportMultiRow( $contact = self::exportMultiRow(
sprintf("SELECT * FROM `contact` WHERE `uid` = %d ", intval(local_user())) sprintf("SELECT * FROM `contact` WHERE `uid` = %d ", $user_id)
); );
$profile = self::exportMultiRow( $profile = self::exportMultiRow(
sprintf("SELECT *, 'default' AS `profile_name`, 1 AS `is-default` FROM `profile` WHERE `uid` = %d ", intval(local_user())) sprintf("SELECT *, 'default' AS `profile_name`, 1 AS `is-default` FROM `profile` WHERE `uid` = %d ", $user_id)
); );
$profile_fields = self::exportMultiRow( $profile_fields = self::exportMultiRow(
sprintf("SELECT * FROM `profile_field` WHERE `uid` = %d ", intval(local_user())) sprintf("SELECT * FROM `profile_field` WHERE `uid` = %d ", $user_id)
); );
$photo = self::exportMultiRow( $photo = self::exportMultiRow(
sprintf("SELECT * FROM `photo` WHERE uid = %d AND profile = 1", intval(local_user())) sprintf("SELECT * FROM `photo` WHERE uid = %d AND profile = 1", $user_id)
); );
foreach ($photo as &$p) { foreach ($photo as &$p) {
$p['data'] = bin2hex($p['data']); $p['data'] = bin2hex($p['data']);
} }
$pconfig = self::exportMultiRow( $pconfig = self::exportMultiRow(
sprintf("SELECT * FROM `pconfig` WHERE uid = %d", intval(local_user())) sprintf("SELECT * FROM `pconfig` WHERE uid = %d", $user_id)
); );
$group = self::exportMultiRow( $group = self::exportMultiRow(
sprintf("SELECT * FROM `group` WHERE uid = %d", intval(local_user())) sprintf("SELECT * FROM `group` WHERE uid = %d", $user_id)
); );
$group_member = self::exportMultiRow( $group_member = self::exportMultiRow(
sprintf("SELECT `group_member`.`gid`, `group_member`.`contact-id` FROM `group_member` INNER JOIN `group` ON `group`.`id` = `group_member`.`gid` WHERE `group`.`uid` = %d", intval(local_user())) sprintf("SELECT `group_member`.`gid`, `group_member`.`contact-id` FROM `group_member` INNER JOIN `group` ON `group`.`id` = `group_member`.`gid` WHERE `group`.`uid` = %d", $user_id)
); );
$output = [ $output = [
@ -234,21 +277,25 @@ class UserExport extends BaseSettings
/** /**
* echoes account data and items as separated json, one per line * echoes account data and items as separated json, one per line
* *
* @param App $a * @param int $user_id
* @throws \Exception * @throws \Exception
*/ */
private static function exportAll(App $a) private static function exportAll(int $user_id)
{ {
self::exportAccount($a); if (!$user_id) {
throw new \RuntimeException(DI::l10n()->t('Permission denied.'));
}
self::exportAccount($user_id);
echo "\n"; echo "\n";
$total = Post::count(['uid' => local_user()]); $total = Post::count(['uid' => $user_id]);
// chunk the output to avoid exhausting memory // chunk the output to avoid exhausting memory
for ($x = 0; $x < $total; $x += 500) { for ($x = 0; $x < $total; $x += 500) {
$items = Post::selectToArray(Item::ITEM_FIELDLIST, ['uid' => local_user()], ['limit' => [$x, 500]]); $items = Post::selectToArray(Item::ITEM_FIELDLIST, ['uid' => $user_id], ['limit' => [$x, 500]]);
$output = ['item' => $items]; $output = ['item' => $items];
echo json_encode($output, JSON_PARTIAL_OUTPUT_ON_ERROR). "\n"; echo json_encode($output, JSON_PARTIAL_OUTPUT_ON_ERROR) . "\n";
} }
} }
} }