Check form security token in /settings/userexport module (#13929)
* Escape HTML in the location field of a calendar event post - This allowed script tags to be interpreted in the post display of an event. * Add form security token check to /admin/phpinfo module - This prevents basic XSS attacks against /admin/phpinfo * Add form security token check to /babel module - This prevents basic XSS attacks against /babel * Prevent pass-through for attachments - This addresses a straightforward Reflected XSS vulnerability if a malicious HTML/Javascript file is attached to a post through upload * Prevent overwriting cid on event edit - This allowed to share an event as any other user after zeroing the cid field of an existing event * Check form security token in /settings/userexport module - Prevents basic XSS attacks against /settings/userexport/*
This commit is contained in:
parent
5c5d7eb04f
commit
e16b6ee6e1
|
@ -29,7 +29,6 @@ use Friendica\Core\Session\Capability\IHandleUserSessions;
|
||||||
use Friendica\Core\System;
|
use Friendica\Core\System;
|
||||||
use Friendica\Database\DBA;
|
use Friendica\Database\DBA;
|
||||||
use Friendica\Database\Definition\DbaDefinition;
|
use Friendica\Database\Definition\DbaDefinition;
|
||||||
use Friendica\DI;
|
|
||||||
use Friendica\Model\Contact;
|
use Friendica\Model\Contact;
|
||||||
use Friendica\Model\Item;
|
use Friendica\Model\Item;
|
||||||
use Friendica\Model\Post;
|
use Friendica\Model\Post;
|
||||||
|
@ -47,8 +46,7 @@ use Psr\Log\LoggerInterface;
|
||||||
**/
|
**/
|
||||||
class UserExport extends BaseSettings
|
class UserExport extends BaseSettings
|
||||||
{
|
{
|
||||||
/** @var DbaDefinition */
|
private DbaDefinition $dbaDefinition;
|
||||||
private $dbaDefinition;
|
|
||||||
|
|
||||||
public function __construct(DbaDefinition $dbaDefinition, IHandleUserSessions $session, App\Page $page, L10n $l10n, App\BaseURL $baseUrl, App\Arguments $args, LoggerInterface $logger, Profiler $profiler, Response $response, array $server, array $parameters = [])
|
public function __construct(DbaDefinition $dbaDefinition, IHandleUserSessions $session, App\Page $page, L10n $l10n, App\BaseURL $baseUrl, App\Arguments $args, LoggerInterface $logger, Profiler $profiler, Response $response, array $server, array $parameters = [])
|
||||||
{
|
{
|
||||||
|
@ -86,10 +84,12 @@ class UserExport extends BaseSettings
|
||||||
* options shown on "Export personal data" page
|
* options shown on "Export personal data" page
|
||||||
* list of array( 'link url', 'link text', 'help text' )
|
* list of array( 'link url', 'link text', 'help text' )
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
$t = self::getFormSecurityToken('userexport');
|
||||||
$options = [
|
$options = [
|
||||||
['settings/userexport/account', $this->l10n->t('Export account'), $this->l10n->t('Export your account info and contacts. Use this to make a backup of your account and/or to move it to another server.')],
|
['settings/userexport/account?t=' . $t, $this->l10n->t('Export account'), $this->l10n->t('Export your account info and contacts. Use this to make a backup of your account and/or to move it to another server.')],
|
||||||
['settings/userexport/backup', $this->l10n->t('Export all'), $this->l10n->t('Export your account info, contacts and all your items as json. Could be a very big file, and could take a lot of time. Use this to make a full backup of your account (photos are not exported)')],
|
['settings/userexport/backup?t=' . $t, $this->l10n->t('Export all'), $this->l10n->t('Export your account info, contacts and all your items as json. Could be a very big file, and could take a lot of time. Use this to make a full backup of your account (photos are not exported)')],
|
||||||
['settings/userexport/contact', $this->l10n->t('Export Contacts to CSV'), $this->l10n->t('Export the list of the accounts you are following as CSV file. Compatible to e.g. Mastodon.')],
|
['settings/userexport/contact?t=' . $t, $this->l10n->t('Export Contacts to CSV'), $this->l10n->t('Export the list of the accounts you are following as CSV file. Compatible to e.g. Mastodon.')],
|
||||||
];
|
];
|
||||||
Hook::callAll('uexport_options', $options);
|
Hook::callAll('uexport_options', $options);
|
||||||
|
|
||||||
|
@ -115,20 +115,21 @@ class UserExport extends BaseSettings
|
||||||
}
|
}
|
||||||
|
|
||||||
if (isset($this->parameters['action'])) {
|
if (isset($this->parameters['action'])) {
|
||||||
|
self::checkFormSecurityTokenForbiddenOnError('userexport', 't');
|
||||||
switch ($this->parameters['action']) {
|
switch ($this->parameters['action']) {
|
||||||
case 'backup':
|
case 'backup':
|
||||||
header('Content-type: application/json');
|
header('Content-type: application/json');
|
||||||
header('Content-Disposition: attachment; filename="' . DI::app()->getLoggedInUserNickname() . '.' . $this->parameters['action'] . '"');
|
header('Content-Disposition: attachment; filename="' . $this->session->getLocalUserNickname() . '.' . $this->parameters['action'] . '"');
|
||||||
$this->echoAll($this->session->getLocalUserId());
|
$this->echoAll($this->session->getLocalUserId());
|
||||||
break;
|
break;
|
||||||
case 'account':
|
case 'account':
|
||||||
header('Content-type: application/json');
|
header('Content-type: application/json');
|
||||||
header('Content-Disposition: attachment; filename="' . DI::app()->getLoggedInUserNickname() . '.' . $this->parameters['action'] . '"');
|
header('Content-Disposition: attachment; filename="' . $this->session->getLocalUserNickname() . '.' . $this->parameters['action'] . '"');
|
||||||
$this->echoAccount($this->session->getLocalUserId());
|
$this->echoAccount($this->session->getLocalUserId());
|
||||||
break;
|
break;
|
||||||
case 'contact':
|
case 'contact':
|
||||||
header('Content-type: application/csv');
|
header('Content-type: application/csv');
|
||||||
header('Content-Disposition: attachment; filename="' . DI::app()->getLoggedInUserNickname() . '-contacts.csv' . '"');
|
header('Content-Disposition: attachment; filename="' . $this->session->getLocalUserNickname() . '-contacts.csv' . '"');
|
||||||
$this->echoContactsAsCSV($this->session->getLocalUserId());
|
$this->echoContactsAsCSV($this->session->getLocalUserId());
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
@ -156,12 +157,9 @@ class UserExport extends BaseSettings
|
||||||
if (!isset($row[$column])) {
|
if (!isset($row[$column])) {
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
if ($field['type'] == 'datetime') {
|
|
||||||
$p[$column] = $row[$column] ?? DBA::NULL_DATETIME;
|
|
||||||
} else {
|
|
||||||
$p[$column] = $row[$column];
|
$p[$column] = $row[$column];
|
||||||
}
|
}
|
||||||
}
|
|
||||||
$result[] = $p;
|
$result[] = $p;
|
||||||
}
|
}
|
||||||
DBA::close($rows);
|
DBA::close($rows);
|
||||||
|
|
Loading…
Reference in New Issue
Block a user