status leak: /context subpath does not check for visibility restrictions #25

Closed
opened 2022-06-28 13:49:52 +00:00 by floatingghost · 0 comments

steps to replicate:

  • set up a local *oma instance
  • turn on these settings:
    image
  • post a local status with public visibility
  • observe that the API returns "not found" to unauthenticated users
    image
  • reply to that status with any visibility (even private)
  • observe that that API route too returns 404
    image
  • view the /context path of either the base post or the reply
  • observe that the status we could not read earlier is returned
    image

luckily this does not leak private statuses

steps to replicate: - set up a local \*oma instance - turn on these settings: ![image](/attachments/1c07c4c8-526d-42c8-86b2-45fbc0d622b6) - post a local status with public visibility - observe that the API returns "not found" to unauthenticated users ![image](/attachments/decc42e4-ebe8-4d8a-afec-de2abdbb0a1a) - reply to that status with _any_ visibility (even private) - observe that that API route too returns 404 ![image](/attachments/194f305e-f6f5-423d-bc55-13d2d34272bc) - view the `/context` path of either the base post or the reply - observe that the status we could not read earlier is returned ![image](/attachments/70d16423-171d-4b9b-97b7-a01f410b9e11) luckily this does not leak private statuses
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: AkkomaGang/akkoma#25
No description provided.