Priv Escalation, non-upgrade remediation question

[cidrbl0ck]

As noted here: https://github.com/cydrobolt/polr/security/advisories/GHSA-vg6w-8w9v-xxqc

It mentions that to remediate this vulnerability without upgrading, you add an "abort(404)' into the first line of 'finishSetup'. I wanted to verify what I am seeing just to ensure it's in the right place.

public static function finishSetup(Request $request) { // get data from cookie, decode JSON if (!isset($_COOKIE['setup_arguments'])) { abort(404); }

Is this correct? Is a restart of Apache2 or anything required to implement this change?

Also FWIW an upgrade is planned, however I'd like to resolve this issue before then.

Your Environment

• version: 2 (from the gul)
• Environment name and version (e.g. Chrome 39, PHP 7.0, etc): Ubuntu 18.04.3 LTS, PHP 7.0-fpm

[cydrobolt]

The line right after the function declaration, and right before the if statement should be okay! I don't think restarting apache2 is necessary, but it wouldn't hurt if you wanted to make sure that the code change is synced.

[cidrbl0ck]

Many thanks!

[cidrbl0ck]

One more question on this if I may @cydrobolt , Does this format look correct:

    public static function finishSetup(Request $request) {         abort(404)     if (!isset($_COOKIE['setup_arguments'])) {             abort(404);         }