email: check the owner when set as primary (#5988)

unknwon · mpsonntag · commit 529694dc6d87 · 2020-11-25T19:33:34.000+01:00
* email: check the owner when set as primary

Fixes a security issue reported by muxishuihan.

* Update CHANGELOG
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -37,6 +37,7 @@ All notable changes to Gogs are documented in this file.
 
 - [Security] Potential open redirection with i18n.
 - [Security] Potential ability to delete files outside a repository.
+- [Security] Potential ability to set primary email on others' behalf from their verified emails.
 - [Security] Potential RCE on mirror repositories. [#5767](https://github.com/gogs/gogs/issues/5767)
 - [Security] Potential XSS attack with raw markdown API. [#5907](https://github.com/gogs/gogs/pull/5907)
 - Open/close milestone redirects to a 404 page. [#5677](https://github.com/gogs/gogs/issues/5677)
diff --git a/Makefile b/Makefile
@@ -42,7 +42,7 @@ pack:
 
 release: build pack
 
-generate: $(ASSETS_GENERATED)
+generate: clean $(ASSETS_GENERATED)
 
 internal/assets/conf/conf_gen.go: $(CONF_FILES)
 	-rm -f $@
@@ -59,7 +59,7 @@ internal/assets/public/public_gen.go: $(PUBLIC_FILES)
 	go generate internal/assets/public/public.go
 	gofmt -s -w $@
 
-less: public/css/gogs.min.css
+less: clean public/css/gogs.min.css
 
 public/css/gogs.min.css: $(LESS_FILES)
 	@type lessc >/dev/null 2>&1 && lessc --clean-css --source-map "public/less/gogs.less" $@ || echo "lessc command not found or failed"
diff --git a/internal/db/user_mail.go b/internal/db/user_mail.go
@@ -160,14 +160,18 @@ func DeleteEmailAddresses(emails []*EmailAddress) (err error) {
 	return nil
 }
 
-func MakeEmailPrimary(email *EmailAddress) error {
+func MakeEmailPrimary(userID int64, email *EmailAddress) error {
 	has, err := x.Get(email)
 	if err != nil {
 		return err
 	} else if !has {
 		return errors.EmailNotFound{Email: email.Email}
 	}
 
+	if email.UID != userID {
+		return errors.New("not the owner of the email")
+	}
+
 	if !email.IsActivated {
 		return errors.EmailNotVerified{Email: email.Email}
 	}
diff --git a/internal/route/user/setting.go b/internal/route/user/setting.go
@@ -237,7 +237,7 @@ func SettingsEmailPost(c *context.Context, f form.AddEmail) {
 
 	// Make emailaddress primary.
 	if c.Query("_method") == "PRIMARY" {
-		if err := db.MakeEmailPrimary(&db.EmailAddress{ID: c.QueryInt64("id")}); err != nil {
+		if err := db.MakeEmailPrimary(c.UserID(), &db.EmailAddress{ID: c.QueryInt64("id")}); err != nil {
 			c.ServerError("MakeEmailPrimary", err)
 			return
 		}

Original file line number	Diff line number	Diff line change
`@@ -160,14 +160,18 @@ func DeleteEmailAddresses(emails []*EmailAddress) (err error) {`
`160`	`160`	`return nil`
`161`	`161`	`}`
`162`	`162`
`163`		`-func MakeEmailPrimary(email *EmailAddress) error {`
	`163`	`+func MakeEmailPrimary(userID int64, email *EmailAddress) error {`
`164`	`164`	`has, err := x.Get(email)`
`165`	`165`	`if err != nil {`
`166`	`166`	`return err`
`167`	`167`	`} else if !has {`
`168`	`168`	`return errors.EmailNotFound{Email: email.Email}`
`169`	`169`	`}`
`170`	`170`
	`171`	`+ if email.UID != userID {`
	`172`	`+ return errors.New("not the owner of the email")`
	`173`	`+ }`
	`174`	`+`
`171`	`175`	`if !email.IsActivated {`
`172`	`176`	`return errors.EmailNotVerified{Email: email.Email}`
`173`	`177`	`}`
Original file line number	Diff line number	Diff line change
`@@ -237,7 +237,7 @@ func SettingsEmailPost(c *context.Context, f form.AddEmail) {`
`237`	`237`
`238`	`238`	`// Make emailaddress primary.`
`239`	`239`	`if c.Query("_method") == "PRIMARY" {`
`240`		`- if err := db.MakeEmailPrimary(&db.EmailAddress{ID: c.QueryInt64("id")}); err != nil {`
	`240`	`+ if err := db.MakeEmailPrimary(c.UserID(), &db.EmailAddress{ID: c.QueryInt64("id")}); err != nil {`
`241`	`241`	`c.ServerError("MakeEmailPrimary", err)`
`242`	`242`	`return`
`243`	`243`	`}`