Merge pull request #377 from wloot/patch-6

[security] Fix user info leak in getSubscribe()
This commit is contained in:
tokumeikoi 2021-01-07 17:16:07 +09:00 committed by GitHub
commit 633b9ad912
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -27,6 +27,9 @@ class UserController extends Controller
public function changePassword(UserChangePassword $request) public function changePassword(UserChangePassword $request)
{ {
$user = User::find($request->session()->get('id')); $user = User::find($request->session()->get('id'));
if (!$user) {
abort(500, '该用户不存在');
}
if (!Helper::multiPasswordVerify( if (!Helper::multiPasswordVerify(
$user->password_algo, $user->password_algo,
$request->input('old_password'), $request->input('old_password'),
@ -65,6 +68,9 @@ class UserController extends Controller
'telegram_id' 'telegram_id'
]) ])
->first(); ->first();
if (!$user) {
abort(500, '该用户不存在');
}
$user['avatar_url'] = 'https://cdn.v2ex.com/gravatar/' . md5($user->email) . '?s=64&d=identicon'; $user['avatar_url'] = 'https://cdn.v2ex.com/gravatar/' . md5($user->email) . '?s=64&d=identicon';
return response([ return response([
'data' => $user 'data' => $user
@ -90,7 +96,20 @@ class UserController extends Controller
public function getSubscribe(Request $request) public function getSubscribe(Request $request)
{ {
$user = User::find($request->session()->get('id')); $user = User::where('id', $request->session()->get('id'))
->select([
'id',
'plan_id',
'token',
'expired_at',
'u',
'd',
'transfer_enable'
])
->first();
if (!$user) {
abort(500, '该用户不存在');
}
if ($user->plan_id) { if ($user->plan_id) {
$user['plan'] = Plan::find($user->plan_id); $user['plan'] = Plan::find($user->plan_id);
if (!$user['plan']) { if (!$user['plan']) {
@ -107,6 +126,9 @@ class UserController extends Controller
public function resetSecurity(Request $request) public function resetSecurity(Request $request)
{ {
$user = User::find($request->session()->get('id')); $user = User::find($request->session()->get('id'));
if (!$user) {
abort(500, '该用户不存在');
}
$user->uuid = Helper::guid(true); $user->uuid = Helper::guid(true);
$user->token = Helper::guid(); $user->token = Helper::guid();
if (!$user->save()) { if (!$user->save()) {