Skip to content

Commit

Permalink
[CVE-2022-29858] Read grant config for regenerate_shortcode
Browse files Browse the repository at this point in the history
  • Loading branch information
emteknetnz committed Jun 27, 2022
1 parent e5ca733 commit 6570020
Show file tree
Hide file tree
Showing 2 changed files with 44 additions and 1 deletion.
4 changes: 3 additions & 1 deletion src/Shortcodes/ImageShortcodeProvider.php
Original file line number Diff line number Diff line change
Expand Up @@ -130,10 +130,12 @@ public static function handle_shortcode($args, $content, $parser, $shortcode, $e
*/
public static function regenerate_shortcode($args, $content, $parser, $shortcode, $extra = [])
{
$allowSessionGrant = static::config()->allow_session_grant;

// Check if there is a suitable record
$record = static::find_shortcode_record($args);
if ($record) {
$args['src'] = $record->getURL();
$args['src'] = $record->getURL($allowSessionGrant);
}

// Rebuild shortcode
Expand Down
41 changes: 41 additions & 0 deletions tests/php/Shortcodes/ImageShortcodeProviderTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,17 @@

use SilverStripe\Assets\File;
use Silverstripe\Assets\Dev\TestAssetStore;
use SilverStripe\Assets\FilenameParsing\ParsedFileID;
use SilverStripe\Assets\Storage\AssetStore;
use SilverStripe\Core\Config\Config;
use SilverStripe\Dev\SapphireTest;
use SilverStripe\View\Parsers\ShortcodeParser;
use SilverStripe\Assets\Image;
use SilverStripe\Assets\Shortcodes\ImageShortcodeProvider;
use SilverStripe\Assets\Shortcodes\FileShortcodeProvider;
use SilverStripe\Core\Injector\Injector;
use SilverStripe\Security\InheritedPermissions;
use SilverStripe\Security\Member;

/**
* @skipUpgrade
Expand Down Expand Up @@ -220,4 +226,39 @@ public function testLazyLoading()
$this->assertStringNotContainsString('loading="lazy"', $parser->parse($shortcode));
});
}

public function testRegenerateShortcode()
{
$assetStore = Injector::inst()->get(AssetStore::class);
$member = Member::create();
$member->write();
// Logout first to throw away the existing session which may have image grants.
$this->logOut();
$this->logInAs($member);
// image is in protected asset store
$image = $this->objFromFixture(Image::class, 'imageWithTitle');
$image->CanViewType = InheritedPermissions::ONLY_THESE_USERS;
$image->write();
$url = $image->getUrl(false);
$args = [
'id' => $image->ID,
'src' => $url,
'width' => '550',
'height' => '366',
'class' => 'leftAlone ss-htmleditorfield-file image',
];
$shortHash = substr($image->getHash(), 0, 10);
$expected = implode(' ', [
'[image id="' . $image->ID . '" src="/assets/folder/' . $shortHash . '/test-image.png" width="550"',
'height="366" class="leftAlone ss-htmleditorfield-file image"]'
]);
$parsedFileID = new ParsedFileID($image->getFilename(), $image->getHash());
$html = ImageShortcodeProvider::regenerate_shortcode($args, '', '', 'image');
$this->assertSame($expected, $html);
$this->assertFalse($assetStore->isGranted($parsedFileID));
Config::modify()->set(FileShortcodeProvider::class, 'allow_session_grant', true);
$html = ImageShortcodeProvider::regenerate_shortcode($args, '', '', 'image');
$this->assertSame($expected, $html);
$this->assertTrue($assetStore->isGranted($parsedFileID));
}
}

0 comments on commit 6570020

Please sign in to comment.