You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We recommend that developers add the access control policy before the insertion of post to ensure that the ownership info of the post is current accessor.
The text was updated successfully, but these errors were encountered:
Recently, our team found a vulnerability of publishing post with arbitary user in the latest version of the project.
The vulnerability logic is present in the file: https://github.com/fanchaoo/forum/blob/master/src/main/java/com/fc/service/PostService.java#L57
The developer failed to check the ownership info of the
post
when querying a post insertion viapostMapper.insertPost(post)
, which means accessor can publish post with the identity of arbitary users by/publishPost.do
(i.e., https://github.com/fanchaoo/forum/blob/master/src/main/java/com/fc/controller/PostController.java#L47).We recommend that developers add the access control policy before the insertion of
post
to ensure that the ownership info of the post is current accessor.The text was updated successfully, but these errors were encountered: