jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

saved searches: fix exploit allowing flaggers to be determined.

Browse Source 
Fix an exploit that let you determine the flagger of a post using
`flagger:<username>` saved searches. Saved searches were performed as
DanbooruBot, but since DanbooruBot is a moderator, it let unprivileged
users do `flagger:<username>` searches. Saved searches were done as a
moderator to avoid tag limits, but this is no longer necessary since the
last PostQueryBuilder refactor.

fred get out
This commit is contained in:
evazion
2021-08-31 22:14:11 -05:00
parent 88e379f9cc
commit c41e3f4590
3 changed files with 24 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/models/saved_search.rb
View File

@@ -130,7 +130,7 @@ class SavedSearch < ApplicationRecord
return if redis.exists?(redis_key)
post_ids = Post.with_timeout(timeout, [], query: query) do
Post.system_tag_match(query).limit(QUERY_LIMIT).pluck(:id)
Post.anon_tag_match(query).limit(QUERY_LIMIT).pluck(:id)
end
if post_ids.present?