FIX Privilege escalation through Group and Member CSV upload (SS-2013-004)

See http://www.silverstripe.org/ss-2013-004-privilege-escalation-through-group-and-member-csv-upload/
This commit is contained in:
Ingo Schommer 2013-08-30 13:59:05 +02:00
parent 68ca47b0dd
commit 46556b609e
2 changed files with 37 additions and 21 deletions

View File

@ -100,7 +100,19 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
. ' database'
)
)
)
),
$groupsTab = new Tab('Groups', singleton('Group')->i18n_plural_name(),
$groupList
)
),
// necessary for tree node selection in LeftAndMain.EditForm.js
new HiddenField('ID', false, 0)
);
// Add import capabilities. Limit to admin since the import logic can affect assigned permissions
if(Permission::check('ADMIN')) {
$fields->addFieldsToTab('Root.Users', array(
new HeaderField(_t('SecurityAdmin.IMPORTUSERS', 'Import users'), 3),
new LiteralField(
'MemberImportFormIframe',
@ -110,9 +122,8 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
$this->Link('memberimport')
)
)
),
$groupsTab = new Tab('Groups', singleton('Group')->i18n_plural_name(),
$groupList,
));
$fields->addFieldsToTab('Root.Groups', array(
new HeaderField(_t('SecurityAdmin.IMPORTGROUPS', 'Import groups'), 3),
new LiteralField(
'GroupImportFormIframe',
@ -122,11 +133,8 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
$this->Link('groupimport')
)
)
)
),
// necessary for tree node selection in LeftAndMain.EditForm.js
new HiddenField('ID', false, 0)
);
));
}
// Tab nav in CMS is rendered through separate template
$root->setTemplate('CMSTabSet');
@ -195,6 +203,8 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
* @return Form
*/
public function MemberImportForm() {
if(!Permission::check('ADMIN')) return false;
$group = $this->currentPage();
$form = new MemberImportForm(
$this,
@ -225,6 +235,8 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
* @return Form
*/
public function GroupImportForm() {
if(!Permission::check('ADMIN')) return false;
$form = new GroupImportForm(
$this,
'GroupImportForm'

View File

@ -26,6 +26,10 @@ a custom start up script will still process all flush requests as normal.
### Security: Privilege escalation through Group hierarchy setting (SS-2013-003)
See [announcement](http://www.silverstripe.org/ss-2013-003-privilege-escalation-through-group-hierarchy-setting/)
### Security: Privilege escalation through Group and Member CSV upload (SS-2013-004)
See [announcement](http://www.silverstripe.org/ss-2013-004-privilege-escalation-through-group-and-member-csv-upload/)
## Upgrading
* If you have created your own composite database fields, then you should amend the setValue() to allow the passing of