diff options
author | friendica <info@friendica.com> | 2013-09-04 23:15:53 -0700 |
---|---|---|
committer | friendica <info@friendica.com> | 2013-09-04 23:15:53 -0700 |
commit | f1d875c3e181ce02020830ed9e40b0ffb38ccc85 (patch) | |
tree | 5a3c07fe3d3fa8601bb2cc9ab46ffe4f00c3ec10 | |
parent | a88437a1ef75c688e36788c70e53c02e873e9740 (diff) | |
download | volse-hubzilla-f1d875c3e181ce02020830ed9e40b0ffb38ccc85.tar.gz volse-hubzilla-f1d875c3e181ce02020830ed9e40b0ffb38ccc85.tar.bz2 volse-hubzilla-f1d875c3e181ce02020830ed9e40b0ffb38ccc85.zip |
issue #59 - this is a real bugger. Might seem fixed but read the code. This could potentially create a security/permissions issue
-rwxr-xr-x | include/items.php | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/include/items.php b/include/items.php index c15bf8205..a2300c2e0 100755 --- a/include/items.php +++ b/include/items.php @@ -2010,8 +2010,13 @@ function tag_deliver($uid,$item_id) { intval($item['parent']), intval($uid) ); - if(($x) && ($x[0]['item_flags'] & ITEM_UPLINK) && ($x[0]['author_xchan'] == $item['author_xchan'])) { - logger('tag_deliver: creating second delivery chain for owner comment.'); + +// issue #59 +// FIXME - check security on post and allowed senders, right now we just allow it. The author *may* be foreign and the original owner is lost on our copy of the post. So this could be very hard to verify. For instance what happens if the top-level post was a wall-to-wall? +// if(($x) && ($x[0]['item_flags'] & ITEM_UPLINK) && ($x[0]['author_xchan'] == $item['author_xchan'])) { + if(($x) && ($x[0]['item_flags'] & ITEM_UPLINK)) { +// logger('tag_deliver: creating second delivery chain for owner comment.'); + logger('tag_deliver: creating second delivery chain for comment to tagged post.'); // now change this copy of the post to a forum head message and deliver to all the tgroup members // also reset all the privacy bits to the forum default permissions |