Closed g4borg closed 8 years ago
A proposal for a fix in AddPostView.dispatch:
...
post = get_object_or_404(Post, pk=quote_id)
if not perms.may_view_post(request.user, post):
raise PermissionDenied
...
in https://github.com/hovel/pybbm/blob/master/pybb/views.py#L438
Ouch! Can you made a pull request? with tests preferable?
I do not have a fork active, i use the pip version and monkeypatched it for me for now; also i am not sure whether my one-line-fix is accurate enough, since i do not know much about the rest of the suite. It might be an interesting idea to work from a fork for these problems, so maybe, but I am not angry if someone beats me to it who knows the code :)
I can simply quote any message, if I know it's quote id and can read the message through this. Extremely easy to read out information I am not supposed to have.
There is no permission checks whatsoever in AddPostView.dispatch, where the quote_id is resolved into a quote.
I would say this is a rather heavy security flaw.