unsecure hub calls
Closed this issue · 0 comments
qunabu commented
Route::get('content-type-cache', [LibraryApiController::class, 'contentTypeCache'])->name('hh5p.library.content-type-cache');
Route::get('content-hub-metadata-cache', [LibraryApiController::class, 'contentHubMetadata'])->name('hh5p.library.content-hub-metadata-cache');
Route::post('library-install', [LibraryApiController::class, 'libraryInstall'])->name('hh5p.ajax.library-install');
Route::post('library-upload', [LibraryApiController::class, 'libraryUpload'])->name('hh5p.ajax.library-upload');
those calls are automaticaly called by hub, yet without cookies we should be able to inject any type of security if user has permissions to call those
Scenario
- Create fresh demo https://h5p-laravel-demo.herokuapp.com/editor/new
- Install any library from the list
It calls in first place content-type-cache `'content-hub-metadata-cache', those might be public as this isn't very insecure yet latter ones
Route::post('library-install', [LibraryApiController::class, 'libraryInstall'])->name('hh5p.ajax.library-install');
Route::post('library-upload', [LibraryApiController::class, 'libraryUpload'])->name('hh5p.ajax.library-upload');
definitely should have security validation