Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing sudo mode checks #2487

Closed
6 tasks done
LukasReschke opened this issue Dec 2, 2016 · 1 comment
Closed
6 tasks done

Missing sudo mode checks #2487

LukasReschke opened this issue Dec 2, 2016 · 1 comment
Assignees
@LukasReschke
Labels
bug security
Milestone
Nextcloud 11.0

Comments

@LukasReschke
Copy link
Member

LukasReschke commented Dec 2, 2016
edited by MorrisJobke
Loading

FYI @nickvergessen
@LukasReschke LukasReschke added this to the Nextcloud 11.0 milestone Dec 2, 2016
@LukasReschke LukasReschke self-assigned this Dec 2, 2016
@nickvergessen nickvergessen mentioned this issue Dec 5, 2016
Merged
LukasReschke added a commit that referenced this issue Dec 5, 2016
@LukasReschke
Add sudo mode to enabling and disabling apps
becde58 
Otherwise an administrator could bypass sudo mode by installing an app that allows RCE by design. I've by intention excluded the update endpoint from the requirement because updating apps should be as unintruisive as possible.

Not the cleanest approach by adding this to the AJAX endpoints instead of requiring a controller but for 11 this felt safer for me. We can clean this up together later then. (also the other AJAX endpoints in this folder do have the same logic)

Ref #2487

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
@LukasReschke LukasReschke mentioned this issue Dec 5, 2016
Merged
@MorrisJobke
Copy link
Member

All merged

blizzz pushed a commit that referenced this issue Dec 7, 2016
@LukasReschke @blizzz
Add sudo mode to enabling and disabling apps
b286390 
Otherwise an administrator could bypass sudo mode by installing an app that allows RCE by design. I've by intention excluded the update endpoint from the requirement because updating apps should be as unintruisive as possible.

Not the cleanest approach by adding this to the AJAX endpoints instead of requiring a controller but for 11 this felt safer for me. We can clean this up together later then. (also the other AJAX endpoints in this folder do have the same logic)

Ref #2487

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
@nextcloud-bot nextcloud-bot mentioned this issue Aug 12, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@LukasReschke LukasReschke

Labels
bug security
Projects
None yet
Milestone
Nextcloud 11.0
Development

No branches or pull requests
2 participants
@MorrisJobke @LukasReschke