[fix] security problems with tags

diff --git a/inc/poche/Database.class.php b/inc/poche/Database.class.php
index 58583bf5644dfa637f791420eade3ae42308c450..3332b5a39477dab196dbe8c8bd9afbca70592f61 100644 (file)
--- a/inc/poche/Database.class.php
+++ b/inc/poche/Database.class.php
@@ -344,30 +344,36 @@ class Database {
         return $this->getHandle()->lastInsertId($column);
     }
 
-    public function retrieveAllTags() {
-        $sql = "SELECT * FROM tags";
-        $query = $this->executeQuery($sql, array());
+    public function retrieveAllTags($user_id) {
+        $sql = "SELECT tags.* FROM tags
+          LEFT JOIN tags_entries ON tags_entries.tag_id=tags.id
+          LEFT JOIN entries ON tags_entries.entry_id=entries.id
+          WHERE entries.user_id=?";
+        $query = $this->executeQuery($sql, array($user_id));
         $tags = $query->fetchAll();
 
         return $tags;
     }
 
-    public function retrieveTag($id) {
+    public function retrieveTag($id, $user_id) {
         $tag  = NULL;
-        $sql    = "SELECT * FROM tags WHERE id=?";
-        $params = array(intval($id));
+        $sql    = "SELECT tags.* FROM tags
+          LEFT JOIN tags_entries ON tags_entries.tag_id=tags.id
+          LEFT JOIN entries ON tags_entries.entry_id=entries.id
+          WHERE tags.id=? AND entries.user_id=?";
+        $params = array(intval($id), $user_id);
         $query  = $this->executeQuery($sql, $params);
         $tag  = $query->fetchAll();
 
         return isset($tag[0]) ? $tag[0] : null;
     }
 
-    public function retrieveEntriesByTag($tag_id) {
+    public function retrieveEntriesByTag($tag_id, $user_id) {
         $sql = 
             "SELECT entries.* FROM entries
             LEFT JOIN tags_entries ON tags_entries.entry_id=entries.id
-            WHERE tags_entries.tag_id = ?";
-        $query = $this->executeQuery($sql, array($tag_id));
+            WHERE tags_entries.tag_id = ? AND entries.user_id=?";
+        $query = $this->executeQuery($sql, array($tag_id, $user_id));
         $entries = $query->fetchAll();
 
         return $entries;

diff --git a/inc/poche/Poche.class.php b/inc/poche/Poche.class.php
index 7616929779b5003cbab9ee3313a4469f9b54cf58..753bd7f077619959a08cc68355f8706d2d695bb6 100644 (file)
--- a/inc/poche/Poche.class.php
+++ b/inc/poche/Poche.class.php
@@ -463,6 +463,12 @@ class Poche
             case 'add_tag' :
                 $tags = explode(',', $_POST['value']);
                 $entry_id = $_POST['entry_id'];
+                $entry = $this->store->retrieveOneById($entry_id, $this->user->getId());
+                if (!$entry) {
+                    $this->messages->add('e', _('Article not found!'));
+                    Tools::logm('error : article not found');
+                    Tools::redirect();
+                }
                 foreach($tags as $key => $tag_value) {
                     $value = trim($tag_value);
                     $tag = $this->store->retrieveTagByValue($value);
@@ -487,6 +493,12 @@ class Poche
                 break;
             case 'remove_tag' :
                 $tag_id = $_GET['tag_id'];
+                $entry = $this->store->retrieveOneById($id, $this->user->getId());
+                if (!$entry) {
+                    $this->messages->add('e', _('Article not found!'));
+                    Tools::logm('error : article not found');
+                    Tools::redirect();
+                }
                 $this->store->removeTagForEntry($id, $tag_id);
                 Tools::redirect();
                 break;
@@ -525,6 +537,12 @@ class Poche
                 break;
             case 'edit-tags':
                 # tags
+                $entry = $this->store->retrieveOneById($id, $this->user->getId());
+                if (!$entry) {
+                    $this->messages->add('e', _('Article not found!'));
+                    Tools::logm('error : article not found');
+                    Tools::redirect();
+                }
                 $tags = $this->store->retrieveTagsByEntry($id);
                 $tpl_vars = array(
                     'entry_id' => $id,
@@ -532,8 +550,8 @@ class Poche
                 );
                 break;
             case 'tag':
-                $entries = $this->store->retrieveEntriesByTag($id);
-                $tag = $this->store->retrieveTag($id);
+                $entries = $this->store->retrieveEntriesByTag($id, $this->user->getId());
+                $tag = $this->store->retrieveTag($id, $this->user->getId());
                 $tpl_vars = array(
                     'tag' => $tag,
                     'entries' => $entries,
@@ -541,7 +559,7 @@ class Poche
                 break;
             case 'tags':
                 $token = $this->user->getConfigValue('token');
-                $tags = $this->store->retrieveAllTags();
+                $tags = $this->store->retrieveAllTags($this->user->getId());
                 $tpl_vars = array(
                     'token' => $token,
                     'user_id' => $this->user->getId(),
@@ -1056,7 +1074,7 @@ class Poche
         $feed->setChannelElement('author', 'wallabag');
 
         if ($type == 'tag') {
-            $entries = $this->store->retrieveEntriesByTag($tag_id);
+            $entries = $this->store->retrieveEntriesByTag($tag_id, $user_id);
         }
         else {
             $entries = $this->store->getEntriesByView($type, $user_id);