Fixed thread/post links can leak partial thread-title for non-viewable threads

X

Xon

Well-known member
Affected version
2.2.12
A small corner case touching threads/XXXX/post-YYY with a valid thread id but invalid post id can cause XF to issue a redirect to the thread without checking if this thread is visible. This will then leak a url-normalized copy of the thread name.

PHP: 
    public function actionPost(ParameterBag $params)
    {
...
        /** @var \XF\Entity\Post $post */
        $post = $this->em()->find('XF:post', $postId, $with);
        if (!$post)
        {
            $thread = $this->em()->find('XF:Thread', $params->thread_id);
            if ($thread)
            {
                return $this->redirect($this->buildLink('threads', $thread)); // <- issue
            }
            else
            {
                return $this->notFound();
            }
        }
...
The fix is fairly simple, it should check the thread visibility before redirecting.

Also, for consistency with assertViewableThread, the notFound() call should be $this->notFound(\XF::phrase('requested_thread_not_found')).
 
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.13).

Change log:
Check thread visibility before redirecting for invalid post links
Click to expand...
There may be a delay before changes are rolled out to the XenForo Community.
 
Back
Top Bottom