Verify admin level before editing others' posts.

Yes, it has been possible for any user to edit any post on the site,
their own or otherwise. Only have to generate the POST /edit_post/
manually: an example exploit was created and tested successfully
prior to patching. However, abuse of this vulnerability would have
generated edit_post modlog entries, the lack of which on prod suggest
it was not abused that we know of -- Lord knows how.
master
Snakes 2022-08-11 20:12:35 -04:00
parent d392a213d5
commit 12d7cfaa6c
Signed by: Snakes
GPG Key ID: E745A82778055C7E
1 changed files with 3 additions and 0 deletions

View File

@ -396,6 +396,9 @@ def edit_post(pid, v):
body = body.replace('\r\n', '\n')[:20000]
if v.id != p.author_id and v.admin_level < 2:
abort(403)
if v.id == p.author_id:
if v.longpost and (len(body) < 280 or ' [](' in body or body.startswith('[](')):
return {"error":"You have to type more than 280 characters!"}, 403