Hello/Hi/Greetings,
i am rewriting an existing plugin called Color Palette, new name will be Color Search.
i stumbled on a security risk that i would like to address properly.
this plugin searches for pictures by color. colors are extracted as indexes and stored for each pictures, in a table referencing 16 indexes and the imageId.
If you did not guessed it already, the issue is in the search function by color. how do you prevent the user to see pictures they are not supposed to? what is the best practice?
the SQL code i discovered is this one:
$query = ' SELECT 1 as i, pal.image_id as pal_image_id FROM '. COLOR_PALETTE_TABLE .' pal INNER JOIN '. IMAGES_TABLE .' img ON img.id = pal.image_id INNER JOIN '. IMAGE_CATEGORY_TABLE .' cat ON img.id = cat.image_id WHERE '. (implode(' OR ', $colorPredicates)) .' AND cat.category_id NOT IN ('. $forbidden_categories .') AND img.level <= '. intval($user['level']) .' GROUP BY pal.image_id HAVING SUM(i) = '. count($colorPredicates) .' ;';
As you can see, the only 2 part security related are cat.category_id and $user['level']
Is this sufficient moving forward? Is it best practice to let plugins dig into the image database and let them decide about the security themselves? I'd rather not have to do that to be honest.
thanks for any insight
Piwigo URL: https://piwigo.derewonko.com
Offline
There's a function get_sql_condition_FandF() (Forbidden and Filters) in include/functions_user.inc.php to compute a WHERE condition with forbidden_categories and forbidden_images. Check its comment and usage throughout core code and plugins.
Offline
seems very difficult and bare-bones, but i will try eventually. thanks
Offline