XenAPI icon indicating copy to clipboard operation
XenAPI copied to clipboard
verified publisher icon Contex

Potential privilege escalation in getUser function

Open jhvh1 opened this issue 9 years ago • 1 comments

public function getUser($input, $fetchOptions = array())

Assume there is a privileged account with an Id of 1750. Next assume that an account is created with the username "1750". When getUser is called with $input = "1750", the function will return a User object associated with the privileged account with the Id of 1750 instead of the unprivileged account with a username of "1750". This happens because the value of $input passes the test for 'is_numeric' and is therefore used to lookup the user by the Id, instead of by the (user)name.

jhvh1 avatar Aug 11 '16 17:08 jhvh1

This problem is not to solve the automatic detection of the field. Imagine the reverse situation. Only a solution that is blocking the registration of user names consisting only of numbers.

For edits you can set custom_field_identifier to user_id or name

bato3 avatar Sep 29 '16 16:09 bato3