email: check the owner when set as primary (#5988)

* email: check the owner when set as primary Fixes a security issue reported by muxishuihan. * Update CHANGELOG
2020-03-15 18:58:56 +08:00 · 2020-03-15 18:58:56 +08:00 · 82ff0c5852
parent 07f71e2034
commit 82ff0c5852
5 changed files with 11 additions and 6 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -37,6 +37,7 @@ All notable changes to Gogs are documented in this file.

 - [Security] Potential open redirection with i18n.
 - [Security] Potential ability to delete files outside a repository.
+- [Security] Potential ability to set primary email on others' behalf from their verified emails.
 - [Security] Potential RCE on mirror repositories. [#5767](https://github.com/gogs/gogs/issues/5767)
 - [Security] Potential XSS attack with raw markdown API. [#5907](https://github.com/gogs/gogs/pull/5907)
 - Open/close milestone redirects to a 404 page. [#5677](https://github.com/gogs/gogs/issues/5677)
--- a/4
+++ b/4
@ -42,7 +42,7 @@ pack:

 release: build pack

-generate: $(ASSETS_GENERATED)
+generate: clean $(ASSETS_GENERATED)

 internal/assets/conf/conf_gen.go: $(CONF_FILES)
 	-rm -f $@
@ -59,7 +59,7 @@ internal/assets/public/public_gen.go: $(PUBLIC_FILES)
 	go generate internal/assets/public/public.go
 	gofmt -s -w $@

-less: public/css/gogs.min.css
+less: clean public/css/gogs.min.css

 public/css/gogs.min.css: $(LESS_FILES)
 	@type lessc >/dev/null 2>&1 && lessc --clean-css --source-map "public/less/gogs.less" $@ || echo "lessc command not found or failed"
--- a/internal/assets/public/public_gen.go
+++ b/internal/assets/public/public_gen.go
@ -1722,7 +1722,7 @@ func cssGogsMinCss() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "css/gogs.min.css", size: 64378, mode: os.FileMode(0644), modTime: time.Unix(1584214336, 0)}
+	info := bindataFileInfo{name: "css/gogs.min.css", size: 64378, mode: os.FileMode(0644), modTime: time.Unix(1584215361, 0)}
 	a := &asset{bytes: bytes, info: info, digest: [32]uint8{0xd9, 0x49, 0xa9, 0x99, 0x79, 0x58, 0x26, 0xec, 0xaa, 0x9, 0x5a, 0x24, 0x6, 0x69, 0x2e, 0xe0, 0x3a, 0xb1, 0x53, 0xc4, 0x42, 0x72, 0x4d, 0xe0, 0x67, 0x6d, 0xae, 0x6c, 0x8f, 0xc4, 0x27, 0x27}}
 	return a, nil
 }
@ -1742,7 +1742,7 @@ func cssGogsMinCssMap() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "css/gogs.min.css.map", size: 22926, mode: os.FileMode(0644), modTime: time.Unix(1584214336, 0)}
+	info := bindataFileInfo{name: "css/gogs.min.css.map", size: 22926, mode: os.FileMode(0644), modTime: time.Unix(1584215361, 0)}
 	a := &asset{bytes: bytes, info: info, digest: [32]uint8{0x46, 0x89, 0xb2, 0x95, 0x91, 0xfb, 0x5c, 0xda, 0xff, 0x63, 0x54, 0xc5, 0x91, 0xbf, 0x7a, 0x5a, 0xb5, 0x3d, 0xf, 0xf, 0x84, 0x41, 0x2d, 0xc3, 0x18, 0xf5, 0x74, 0xd7, 0xa9, 0x84, 0x70, 0xce}}
 	return a, nil
 }
--- a/internal/db/user_mail.go
+++ b/internal/db/user_mail.go
@ -160,7 +160,7 @@ func DeleteEmailAddresses(emails []*EmailAddress) (err error) {
 	return nil
 }

-func MakeEmailPrimary(email *EmailAddress) error {
+func MakeEmailPrimary(userID int64, email *EmailAddress) error {
 	has, err := x.Get(email)
 	if err != nil {
 		return err
@ -168,6 +168,10 @@ func MakeEmailPrimary(email *EmailAddress) error {
 		return errors.EmailNotFound{Email: email.Email}
 	}

+	if email.UID != userID {
+		return errors.New("not the owner of the email")
+	}
+
 	if !email.IsActivated {
 		return errors.EmailNotVerified{Email: email.Email}
 	}
--- a/internal/route/user/setting.go
+++ b/internal/route/user/setting.go
@ -237,7 +237,7 @@ func SettingsEmailPost(c *context.Context, f form.AddEmail) {

 	// Make emailaddress primary.
 	if c.Query("_method") == "PRIMARY" {
-		if err := db.MakeEmailPrimary(&db.EmailAddress{ID: c.QueryInt64("id")}); err != nil {
+		if err := db.MakeEmailPrimary(c.UserID(), &db.EmailAddress{ID: c.QueryInt64("id")}); err != nil {
 			c.ServerError("MakeEmailPrimary", err)
 			return
 		}