Revision 293036df
Added by Daniel Lobato Garcia over 8 years ago
app/controllers/reports_controller.rb | ||
---|---|---|
before_filter :setup_search_options, :only => :index
|
||
|
||
def index
|
||
report_authorized = resource_base.my_reports
|
||
@reports = report_authorized.search_for(params[:search], :order => params[:order]).paginate(:page => params[:page], :per_page => params[:per_page]).includes(:host)
|
||
@reports = resource_base.search_for(params[:search], :order => params[:order]).paginate(:page => params[:page], :per_page => params[:per_page]).includes(:host)
|
||
end
|
||
|
||
def show
|
||
# are we searching for the last report?
|
||
if params[:id] == "last"
|
||
conditions = { :host_id => Host.find(params[:host_id]).try(:id) } unless params[:host_id].blank?
|
||
conditions = { :host_id => Host.authorized(:view_hosts).find(params[:host_id]).try(:id) } if params[:host_id].present?
|
||
params[:id] = resource_base.where(conditions).maximum(:id)
|
||
end
|
||
|
||
return not_found if params[:id].blank?
|
||
|
||
@report = resource_base.includes(:logs => [:message, :source]).find(params[:id])
|
||
@offset = @report.reported_at - @report.created_at
|
||
end
|
||
... | ... | |
def destroy
|
||
@report = resource_base.find(params[:id])
|
||
if @report.destroy
|
||
process_success :success_msg => _("Successfully deleted report."), :success_redirect => reports_path
|
||
process_success(:success_msg => _("Successfully deleted report."), :success_redirect => reports_path)
|
||
else
|
||
process_error
|
||
end
|
||
end
|
||
|
||
private
|
||
|
||
def resource_base
|
||
super.my_reports
|
||
end
|
||
end
|
Also available in: Unified diff
Fixes #11579 - Reports show/destroy restricted by host authorization (CVE-2015-5233)
ReportsController 'show' and 'destroy' now perform a check to see if
the User is authorized to see the Host associated with the Report. In
case it's not, it returns 404, as to not give hints whether a Report
ID or Host ID are valid.
I followed the same approach on the API controllers. 'last' was not
vulnerable due to using my_reports which performs the necessary
check on 'view_hosts' permission.