From 2d79e75788aa71664a379c4cea0b6bfe3ab87ad0 Mon Sep 17 00:00:00 2001
From: redmatrix <git@macgirvin.com>
Date: Thu, 12 May 2016 16:51:20 -0700
Subject: SECURITY: edited comment to private post loses privacy info. Not
 visible in stream but may be visible in feeds

---
 include/zot.php | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'include')

diff --git a/include/zot.php b/include/zot.php
index 157354afa..8adc74ffa 100644
--- a/include/zot.php
+++ b/include/zot.php
@@ -1953,6 +1953,16 @@ function remove_community_tag($sender, $arr, $uid) {
  */
 function update_imported_item($sender, $item, $orig, $uid) {
 
+	// If this is a comment being updated, remove any privacy information
+	// so that item_store_update will set it from the original.
+
+	if($item['mid'] !== $item['parent_mid']) {
+		unset($item['allow_cid']);
+		unset($item['allow_gid']);
+		unset($item['deny_cid']);
+		unset($item['deny_gid']);
+		unset($item['item_private']);
+	}
 
 	$x = item_store_update($item);
 
-- 
cgit v1.2.3