Closed Roardom closed 3 hours ago
poster
, genres
, and metadata IDs incorporated for more comprehensive data on torrents.simplePaginateRaw
for search results.description
, mediainfo
, and bdinfo
attributes included enhancing search indexing of torrents.The only sensitive info meilisearch stores is username for anon torrents, which is properly dealt with by return Anonymous
for the uploader username if the anon
flag is checked.
The only data being added to the return collection that isn't from meilisearch is the tmdb image url, the created_at date, and the route to torrents.show
, which contains a numeric id
parameter.
torrents.show
route does not output any sensitive data - the id is not considered senstiveThe above only concerns the cached data. After the cached data is fetched from cache, it alters the data before sending as response (but does not alter the data in the cache). It adds sensitive info to the response, such as the rsskey, which itself provides access to the passkey via the magnet link or by downloading the torrent. This sensitive data is not cached. The sensitive data is sourced from the auth helper, and not through an existing (possibly incorrect) user object.
We were originally concerned about apikeys leaking through the pagination urls, but that doesn't seem to be the case since other users' apikeys are never cached.
Take 2 of #4131