CVE-2022-25319: fix: [security] open endpoints should only be open when enabled · cerebrate-project/cerebrate@a263234

Skip to content

• • Actions

    Automate any workflow

  • Packages

    Host and manage packages

  • Security

    Find and fix vulnerabilities

  • Codespaces

    Instant dev environments

  • Copilot

    Write better code with AI

  • Code review

    Manage code changes

  • Issues

    Plan and track work

  • Discussions

    Collaborate outside of code

• • GitHub Sponsors

    Fund open source developers

*   The ReadME Project
    
    GitHub community articles

• Pricing

Search code, repositories, users, issues, pull requests…

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

• Notifications

• Fork 14

• Code

• Issues 67

• Pull requests 2

• Actions

• Projects 3

• Wiki

• Security

• Insights

Commit

Permalink

Browse files

Browse the repository at this point in the history

fix: [security] open endpoints should only be open when enabled

- as reported by Dawid Czarnecki from Zigrin Security

• Loading branch information

Showing 2 changed files with 10 additions and 2 deletions.

• • IndividualsController.php
  • OrganisationsController.php

6 changes: 5 additions & 1 deletion src/Controller/Open/IndividualsController.php

Expand Up

@@ -11,13 +11,17 @@

use Cake\Http\Exception\MethodNotAllowedException;

use Cake\Http\Exception\ForbiddenException;

use Cake\Event\EventInterface;

use Cake\Core\Configure;

class IndividualsController extends AppController

{

public function beforeFilter(EventInterface $event)

{

parent::beforeFilter($event);

$this->Authentication->allowUnauthenticated([‘index’]);

$open = Configure::read(‘Cerebrate.open’);

if (!empty($open) && in_array('individuals’, $open)) {

$this->Authentication->allowUnauthenticated([‘index’]);

}

}

public function index()

Expand Down

6 changes: 5 additions & 1 deletion src/Controller/Open/OrganisationsController.php

Expand Up

@@ -10,13 +10,17 @@

use Cake\Http\Exception\MethodNotAllowedException;

use Cake\Http\Exception\ForbiddenException;

use Cake\Event\EventInterface;

use Cake\Core\Configure;

class OrganisationsController extends AppController

{

public function beforeFilter(EventInterface $event)

{

parent::beforeFilter($event);

$this->Authentication->allowUnauthenticated([‘index’]);

$open = Configure::read(‘Cerebrate.open’);

if (!empty($open) && in_array('organisations’, $open)) {

$this->Authentication->allowUnauthenticated([‘index’]);

}

}

public function index()

Expand Down

0 comments on commit a263234

Please sign in to comment.