From a4561d7efa62a238e9e30765d3ec5aeefb9cfb61 Mon Sep 17 00:00:00 2001 From: Yannick Warnier Date: Tue, 29 Aug 2023 12:02:21 +0200 Subject: [PATCH] Security: Add filter on messages forwarding --- main/inc/lib/message.lib.php | 20 ++++++++++++++++++++ main/messages/new_message.php | 2 +- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/main/inc/lib/message.lib.php b/main/inc/lib/message.lib.php index b0250fd208..a9c3cd29de 100755 --- a/main/inc/lib/message.lib.php +++ b/main/inc/lib/message.lib.php @@ -3486,4 +3486,24 @@ class MessageManager ->setMultiple(true) ; } + + /** + * Reports whether the given user is sender or receiver of the given message + * @param int $userId + * @param int $messageId + * @return bool + */ + public static function isUserOwner(int $userId, int $messageId) + { + $table = Database::get_main_table(TABLE_MESSAGE); + $sql = "SELECT id FROM $table + WHERE id = $messageId + AND (user_receiver_id = $userId OR user_sender_id = $userId)"; + $res = Database::query($sql); + if (Database::num_rows($res) === 1) { + return true; + } + + return false; + } } diff --git a/main/messages/new_message.php b/main/messages/new_message.php index 35cc1b9205..b2e5f88892 100755 --- a/main/messages/new_message.php +++ b/main/messages/new_message.php @@ -226,7 +226,7 @@ function manageForm($default, $select_from_user_list = null, $sent_to = '', $tpl ); } - if (isset($_GET['forward_id'])) { + if (isset($_GET['forward_id']) && MessageManager::isUserOwner(api_get_user_id(), (int) $_GET['forward_id'])) { $forwardId = (int) $_GET['forward_id']; $message_reply_info = MessageManager::get_message_by_id($forwardId); $attachments = MessageManager::getAttachmentLinkList($forwardId, MessageManager::MESSAGE_TYPE_INBOX);