Fixed thread/post links can leak partial thread-title for non-viewable threads


Well-known member
Affected version
A small corner case touching threads/XXXX/post-YYY with a valid thread id but invalid post id can cause XF to issue a redirect to the thread without checking if this thread is visible. This will then leak a url-normalized copy of the thread name.

    public function actionPost(ParameterBag $params)
        /** @var \XF\Entity\Post $post */
        $post = $this->em()->find('XF:post', $postId, $with);
        if (!$post)
            $thread = $this->em()->find('XF:Thread', $params->thread_id);
            if ($thread)
                return $this->redirect($this->buildLink('threads', $thread)); // <- issue
                return $this->notFound();
The fix is fairly simple, it should check the thread visibility before redirecting.

Also, for consistency with assertViewableThread, the notFound() call should be $this->notFound(\XF::phrase('requested_thread_not_found')).
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.13).

Change log:
Check thread visibility before redirecting for invalid post links
There may be a delay before changes are rolled out to the XenForo Community.
Top Bottom