SECURITY: a comment to a private post that has been edited (the comment has been edited) loses its privacy settings. This comment isn't visible in the stream but may be visible in feeds.

2016-05-12 16:45:49 -07:00 · 2016-05-12 16:45:49 -07:00 · 781716277b
commit 781716277b
parent 4d00c48026
1 changed files with 10 additions and 0 deletions
--- a/include/zot.php
+++ b/include/zot.php
@ -1953,6 +1953,16 @@ function remove_community_tag($sender, $arr, $uid) {
 */
 function update_imported_item($sender, $item, $orig, $uid) {

+	// If this is a comment being updated, remove any privacy information
+	// so that item_store_update will set it from the original.
+
+	if($item['mid'] !== $item['parent_mid']) {
+		unset($item['allow_cid']);
+		unset($item['allow_gid']);
+		unset($item['deny_cid']);
+		unset($item['deny_gid']);
+		unset($item['item_private']);
+	}

 	$x = item_store_update($item);