forks/miniflux
1
0
Fork 0
Code Releases Activity

Security fix: any user can delete any feed

Browse source 
Regression introduced in commit 51fb949.
This commit is contained in:
Frédéric Guillot 2021-05-07 16:25:44 -07:00
parent fa49bcaf8b
commit 32439ca2f0
2 changed files with 7 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
storage/feed.go
View file

@ -381,7 +381,7 @@ func (s *Storage) RemoveFeed(userID, feedID int64) error {
} }
} }
if _, err := s.db.Exec(`DELETE FROM feeds WHERE id=$1`, feedID); err != nil { if _, err := s.db.Exec(`DELETE FROM feeds WHERE id=$1 AND user_id=$2`, feedID, userID); err != nil {
return fmt.Errorf(`store: unable to delete feed #%d: %v`, feedID, err) return fmt.Errorf(`store: unable to delete feed #%d: %v`, feedID, err)
} }

6
ui/feed_remove.go
View file

@ -14,6 +14,12 @@ import (
func (h *handler) removeFeed(w http.ResponseWriter, r *http.Request) { func (h *handler) removeFeed(w http.ResponseWriter, r *http.Request) {
feedID := request.RouteInt64Param(r, "feedID") feedID := request.RouteInt64Param(r, "feedID")
if !h.store.FeedExists(request.UserID(r), feedID) {
html.NotFound(w, r)
return
}
if err := h.store.RemoveFeed(request.UserID(r), feedID); err != nil { if err := h.store.RemoveFeed(request.UserID(r), feedID); err != nil {
html.ServerError(w, r, err) html.ServerError(w, r, err)
return return