关键漏洞信息 漏洞类型: Authenticated Insecure Direct Object Reference (IDOR) 漏洞修复提交: GHSA-g268-72p7-9j6j 修复提交者: damianlegawiec 修复提交时间: Last month (6591f4c) 修复文件: spree/core/app/services/spree/checkout/update.rb 修复代码变更: - 添加了 方法, - 在 方法中调用此方法验证地址所有权, - 如果验证失败,则返回错误信息,防止未经授权访问地址数据。 ruby address_ownership_error = validate_address_ownership(order, params) return failure(order, address_ownership_error) if address_ownership_error ruby def validate_address_ownership(order, params) return nil unless params[:order] %w[bill ship].each do address_id = params[:order].dig(:"#{address_kind}_address_attributes", :id) next unless address_id address = Spree::Address.find_by(id: address_id) next unless address return Spree.t(:address_not_owned_by_user) unless address.user_id.nil? end nil end ``` 修复防止了未经授权的用户访问或修改不属于他们的地址数据。