Description

With default settings, low-level users will not have permission to create new shelf with public mode. However, due to incorrect checking, the function does not work as intended.

Steps To Reproduce

• Step 1: Login with admin account and go to http://hostname:8083/admin/user/new. Create new user “test1” with default permissions (only “Show *” permissions).
• Step 2: Login as test1 and create new shelf, intercept request, add “is_public=off” to POST data. test1 can create public shelf without “Public Shelf” permission.
• PoC: https://drive.google.com/file/d/17KuxINz7JYPy8FfIvcPViUc0GT4ZHxOl

Root-cause

In line 248 (https://github.com/janeczku/calibre-web/blob/01090169a795342626412955cd0aefea11ad4a2a/cps/shelf.py#L248), server will check if user without “Public shelf” permission add “is_public=on” in create request and return error. However, in line 251, server only check the existence of “is_public” but not check the value again. Attacker can pass a value different “on” to pass this check.

Impact

Low-level user without “Public Shelf” permission can create public shelf. This can leads to malicious content being shared publicly.