]> BookStack Code Mirror - bookstack/commit
projects / bookstack / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 867cbe1)
Addressed user detail harvesting issue
authorDan Brown <redacted>
Tue, 14 Dec 2021 18:47:22 +0000 (18:47 +0000)
committerDan Brown <redacted>
Tue, 14 Dec 2021 18:47:22 +0000 (18:47 +0000)
commite765e618547c92f4e0b46caca6fb91f0174efd99
treec213ce2924f760dd7cfdc3a84a5914c68dcf4b1atree | snapshot
parent867cbe15eab76215e1e84ae285b5c443ab16959fcommit | diff
Addressed user detail harvesting issue

Altered access & usage of the /search/users/select endpoint with the
following changes:
- Removed searching of email address to prevent email detail discovery
  via hunting via search queries.
- Required the user to be logged in and have permission to manage users
  or manage permissions on items in some way.
- Removed the user migration option on user delete unless they have
  permission to manage users.

For #3108
Reported in https://huntr.dev/bounties/135f2d7d-ab0b-4351-99b9-889efac46fca/
Reported by @haxatron
app/Auth/UserRepo.php diff | blob | history
app/Http/Controllers/UserSearchController.php diff | blob | history
resources/views/users/delete.blade.php diff | blob | history
tests/User/UserManagementTest.php diff | blob | history
tests/User/UserSearchTest.php [new file with mode: 0644] blob
The core source code for the BookStack project.