While the document_repository frontend was restricting file access, the backend endpoint was not correctly verifying access permissions.
A user could theoretically download a file that they should not have access to, if they know or can brute force the filename.
--- a/modules/document_repository/php/files.class.inc
+++ b/modules/document_repository/php/files.class.inc
@@ -60,6 +61,29 @@ class Files extends \NDB_Page
$downloadpath = \Utility::appendForwardSlash(
$config->getSetting("documentRepositoryPath")
);
+
+ if ($request->getMethod() != "POST") {
+ $factory = \NDB_Factory::singleton();
+ $user = $factory->user();
+ $db = $factory->database();
+
+ $filename = explode(
+ 'Files',
+ urldecode($request->getUri()->getPath())
+ )[1];
+
+ $forSite = $db->pselectOne(
+ "SELECT For_site
+ FROM document_repository
+ WHERE Data_dir = :file_dir",
+ ['file_dir' => mb_substr($filename, 1)]
+ );
+
+ if (! $user->hasCenter(\CenterID::singleton((int)$forSite))) {
+ return (new \LORIS\Http\Response\JSON\Forbidden());
+ }
+ }
+
switch ($request->getMethod()) {
case "POST":
return $this->uploadDocFile($request);
LORIS projects which were but are no longer using the document repository can disable the module to remove access to the endpoint.
alexaubut Reporter
Impact
While the document_repository frontend was restricting file access, the backend endpoint was not correctly verifying access permissions.
A user could theoretically download a file that they should not have access to, if they know or can brute force the filename.
Patches
Workarounds
LORIS projects which were but are no longer using the document repository can disable the module to remove access to the endpoint.