Security: Add filter on messages forwarding

Author: ywarnier

Diff for: main/inc/lib/message.lib.php

@@ -3486,4 +3486,24 @@ private static function addTagsFormToSearch(FormValidator $form)
             ->setMultiple(true)
         ;
     }
+
+    /**
+     * Reports whether the given user is sender or receiver of the given message
+     * @param int $userId
+     * @param int $messageId
+     * @return bool
+     */
+    public static function isUserOwner(int $userId, int $messageId)
+    {
+        $table = Database::get_main_table(TABLE_MESSAGE);
+        $sql = "SELECT id FROM $table
+          WHERE id = $messageId
+            AND (user_receiver_id = $userId OR user_sender_id = $userId)";
+        $res = Database::query($sql);
+        if (Database::num_rows($res) === 1) {
+            return true;
+        }
+
+        return false;
+    }
 }

Diff for: main/messages/new_message.php

@@ -226,7 +226,7 @@ function manageForm($default, $select_from_user_list = null, $sent_to = '', $tpl
         );
     }
 
-    if (isset($_GET['forward_id'])) {
+    if (isset($_GET['forward_id']) && MessageManager::isUserOwner(api_get_user_id(), (int) $_GET['forward_id'])) {
         $forwardId = (int) $_GET['forward_id'];
         $message_reply_info = MessageManager::get_message_by_id($forwardId);
         $attachments = MessageManager::getAttachmentLinkList($forwardId, MessageManager::MESSAGE_TYPE_INBOX);