Check form security token in /settings/userexport module (#13929)

* Escape HTML in the location field of a calendar event post

- This allowed script tags to be interpreted in the post display of an event.

* Add form security token check to /admin/phpinfo module

- This prevents basic XSS attacks against /admin/phpinfo

* Add form security token check to /babel module

- This prevents basic XSS attacks against /babel

* Prevent pass-through for attachments

- This addresses a straightforward Reflected XSS vulnerability if a malicious HTML/Javascript file is attached to a post through upload

* Prevent overwriting cid on event edit

- This allowed to share an event as any other user after zeroing the cid field of an existing event

* Check form security token in /settings/userexport module

- Prevents basic XSS attacks against /settings/userexport/*
This commit is contained in:
Hypolite Petovan 2024-02-22 15:08:32 -05:00 committed by GitHub
parent 5c5d7eb04f
commit e16b6ee6e1
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -29,7 +29,6 @@ use Friendica\Core\Session\Capability\IHandleUserSessions;
use Friendica\Core\System; use Friendica\Core\System;
use Friendica\Database\DBA; use Friendica\Database\DBA;
use Friendica\Database\Definition\DbaDefinition; use Friendica\Database\Definition\DbaDefinition;
use Friendica\DI;
use Friendica\Model\Contact; use Friendica\Model\Contact;
use Friendica\Model\Item; use Friendica\Model\Item;
use Friendica\Model\Post; use Friendica\Model\Post;
@ -47,8 +46,7 @@ use Psr\Log\LoggerInterface;
**/ **/
class UserExport extends BaseSettings class UserExport extends BaseSettings
{ {
/** @var DbaDefinition */ private DbaDefinition $dbaDefinition;
private $dbaDefinition;
public function __construct(DbaDefinition $dbaDefinition, IHandleUserSessions $session, App\Page $page, L10n $l10n, App\BaseURL $baseUrl, App\Arguments $args, LoggerInterface $logger, Profiler $profiler, Response $response, array $server, array $parameters = []) public function __construct(DbaDefinition $dbaDefinition, IHandleUserSessions $session, App\Page $page, L10n $l10n, App\BaseURL $baseUrl, App\Arguments $args, LoggerInterface $logger, Profiler $profiler, Response $response, array $server, array $parameters = [])
{ {
@ -86,10 +84,12 @@ class UserExport extends BaseSettings
* options shown on "Export personal data" page * options shown on "Export personal data" page
* list of array( 'link url', 'link text', 'help text' ) * list of array( 'link url', 'link text', 'help text' )
*/ */
$t = self::getFormSecurityToken('userexport');
$options = [ $options = [
['settings/userexport/account', $this->l10n->t('Export account'), $this->l10n->t('Export your account info and contacts. Use this to make a backup of your account and/or to move it to another server.')], ['settings/userexport/account?t=' . $t, $this->l10n->t('Export account'), $this->l10n->t('Export your account info and contacts. Use this to make a backup of your account and/or to move it to another server.')],
['settings/userexport/backup', $this->l10n->t('Export all'), $this->l10n->t('Export your account info, contacts and all your items as json. Could be a very big file, and could take a lot of time. Use this to make a full backup of your account (photos are not exported)')], ['settings/userexport/backup?t=' . $t, $this->l10n->t('Export all'), $this->l10n->t('Export your account info, contacts and all your items as json. Could be a very big file, and could take a lot of time. Use this to make a full backup of your account (photos are not exported)')],
['settings/userexport/contact', $this->l10n->t('Export Contacts to CSV'), $this->l10n->t('Export the list of the accounts you are following as CSV file. Compatible to e.g. Mastodon.')], ['settings/userexport/contact?t=' . $t, $this->l10n->t('Export Contacts to CSV'), $this->l10n->t('Export the list of the accounts you are following as CSV file. Compatible to e.g. Mastodon.')],
]; ];
Hook::callAll('uexport_options', $options); Hook::callAll('uexport_options', $options);
@ -115,20 +115,21 @@ class UserExport extends BaseSettings
} }
if (isset($this->parameters['action'])) { if (isset($this->parameters['action'])) {
self::checkFormSecurityTokenForbiddenOnError('userexport', 't');
switch ($this->parameters['action']) { switch ($this->parameters['action']) {
case 'backup': case 'backup':
header('Content-type: application/json'); header('Content-type: application/json');
header('Content-Disposition: attachment; filename="' . DI::app()->getLoggedInUserNickname() . '.' . $this->parameters['action'] . '"'); header('Content-Disposition: attachment; filename="' . $this->session->getLocalUserNickname() . '.' . $this->parameters['action'] . '"');
$this->echoAll($this->session->getLocalUserId()); $this->echoAll($this->session->getLocalUserId());
break; break;
case 'account': case 'account':
header('Content-type: application/json'); header('Content-type: application/json');
header('Content-Disposition: attachment; filename="' . DI::app()->getLoggedInUserNickname() . '.' . $this->parameters['action'] . '"'); header('Content-Disposition: attachment; filename="' . $this->session->getLocalUserNickname() . '.' . $this->parameters['action'] . '"');
$this->echoAccount($this->session->getLocalUserId()); $this->echoAccount($this->session->getLocalUserId());
break; break;
case 'contact': case 'contact':
header('Content-type: application/csv'); header('Content-type: application/csv');
header('Content-Disposition: attachment; filename="' . DI::app()->getLoggedInUserNickname() . '-contacts.csv' . '"'); header('Content-Disposition: attachment; filename="' . $this->session->getLocalUserNickname() . '-contacts.csv' . '"');
$this->echoContactsAsCSV($this->session->getLocalUserId()); $this->echoContactsAsCSV($this->session->getLocalUserId());
break; break;
} }
@ -156,11 +157,8 @@ class UserExport extends BaseSettings
if (!isset($row[$column])) { if (!isset($row[$column])) {
continue; continue;
} }
if ($field['type'] == 'datetime') {
$p[$column] = $row[$column] ?? DBA::NULL_DATETIME; $p[$column] = $row[$column];
} else {
$p[$column] = $row[$column];
}
} }
$result[] = $p; $result[] = $p;
} }