From 3656bc88288957d68ba040cad2e5f9dbd1b607b1 Mon Sep 17 00:00:00 2001
From: Brady Miller <brady.g.miller@gmail.com>
Date: Fri, 10 Mar 2023 13:30:42 +0800
Subject: [PATCH] fix: bug fix (#6270)

---
 portal/messaging/handle_note.php | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/portal/messaging/handle_note.php b/portal/messaging/handle_note.php
index a7ae74bc1..a9a83492e 100644
--- a/portal/messaging/handle_note.php
+++ b/portal/messaging/handle_note.php
@@ -34,6 +34,29 @@ if (isset($_SESSION['pid']) && isset($_SESSION['patient_portal_onsite_two'])) {
     }
     // owner is the patient portal_username
     $owner = $_SESSION['portal_username'];
+
+    // ensure the owner is bootstrapped to the $_POST['sender_id'] and
+    //   $_POST['sender_name'], if applicable
+    if (empty($_POST['sender_id']) && !empty($_POST['sender_name'])) {
+        echo xlt("illegal Action");
+        OpenEMR\Common\Session\SessionUtil::portalSessionCookieDestroy();
+        exit;
+    }
+    if (!empty($_POST['sender_id'])) {
+        if ($_POST['sender_id'] != $owner) {
+            echo xlt("illegal Action");
+            OpenEMR\Common\Session\SessionUtil::portalSessionCookieDestroy();
+            exit;
+        }
+    }
+    if (!empty($_POST['sender_name'])) {
+        $nameCheck = sqlQuery("SELECT `fname`, `lname` FROM `patient_data` WHERE `pid` = ?", [$_SESSION['pid']]);
+        if (empty($nameCheck) || ($_POST['sender_name'] != ($nameCheck['fname'] . " " . $nameCheck['lname']))) {
+            echo xlt("illegal Action");
+            OpenEMR\Common\Session\SessionUtil::portalSessionCookieDestroy();
+            exit;
+        }
+    }
 } else {
     OpenEMR\Common\Session\SessionUtil::portalSessionCookieDestroy();
     $ignoreAuth = false;
-- 
2.11.4.GIT