Fixed security hole where other people could delete YOUR posts. Yes, yours. You're welcome.

author: Vika Shleina <vika@fireburn.ru> 2021-07-21 06:07:35 +0300
committer: Vika Shleina <vika@fireburn.ru> 2021-07-21 06:07:35 +0300
commit: c98e370326102dac0c7c16c9b556da018b41803b (patch)
tree: ca9a4024e18b663ba148133c74731752ff1e1114 /src/micropub/post.rs
parent: 36811f1aaa96cb58ab5de5d59e28375f28414b74 (diff)
download: kittybox-c98e370326102dac0c7c16c9b556da018b41803b.tar.zst
1 files changed, 25 insertions, 0 deletions
diff --git a/src/micropub/post.rs b/src/micropub/post.rs
index eaa603a..95b4dd0 100644
--- a/src/micropub/post.rs
+++ b/src/micropub/post.rs
@@ -511,6 +511,17 @@ async fn process_json<S: Storage>(
                         "You need a `delete` scope to delete posts."
                     );
                 }
+                // This special scope is not available through a token endpoint, since the
+                // authorization endpoint is supposed to reject any auth request trying to get this
+                // scope. It is intended for TRUSTED external services that need to modify the
+                // database while ignoring any access controls
+                if (url::Url::parse(url)?.origin().ascii_serialization() + "/") != user.me.as_str() && !user.check_scope("kittybox_internal:do_what_thou_wilt") {
+                    return error_json!(
+                        403,
+                        "forbidden",
+                        "You're not allowed to delete someone else's posts."
+                    )
+                }
                 if let Err(error) = req.state().storage.delete_post(&url).await {
                     return Ok(error.into());
                 }
@@ -524,6 +535,13 @@ async fn process_json<S: Storage>(
                         "You need an `update` scope to update posts."
                     );
                 }
+                if (url::Url::parse(url)?.origin().ascii_serialization() + "/") != user.me.as_str() && !user.check_scope("kittybox_internal:do_what_thou_wilt") {
+                    return error_json!(
+                        403,
+                        "forbidden",
+                        "You're not allowed to delete someone else's posts."
+                    )
+                }
                 if let Err(error) = req.state().storage.update_post(&url, body.clone()).await {
                     Ok(error.into())
                 } else {
@@ -591,6 +609,13 @@ async fn process_form<S: Storage>(
             }
             match form.iter().find(|(k, _)| k == "url") {
                 Some((_, url)) => {
+                    if (url::Url::parse(url)?.origin().ascii_serialization() + "/") != user.me.as_str() && !user.check_scope("kittybox_internal:do_what_thou_wilt") {
+                        return error_json!(
+                            403,
+                            "forbidden",
+                            "You're not allowed to delete someone else's posts."
+                        )
+                    }
                     if let Err(error) = req.state().storage.delete_post(&url).await {
                         return error_json!(500, "database_error", error);
                     }
author	Vika Shleina <vika@fireburn.ru>	2021-07-21 06:07:35 +0300
committer	Vika Shleina <vika@fireburn.ru>	2021-07-21 06:07:35 +0300
commit	c98e370326102dac0c7c16c9b556da018b41803b (patch)
tree	ca9a4024e18b663ba148133c74731752ff1e1114 /src/micropub/post.rs
parent	36811f1aaa96cb58ab5de5d59e28375f28414b74 (diff)
download	kittybox-c98e370326102dac0c7c16c9b556da018b41803b.tar.zst