[buddypress-trac] [BuddyPress] #2343: SECURITY RISK (internal): Forum posts are "promiscuous" and can be hacked by unauthorized users
buddypress-trac at lists.automattic.com
buddypress-trac at lists.automattic.com
Mon Apr 26 20:35:53 UTC 2010
#2343: SECURITY RISK (internal): Forum posts are "promiscuous" and can be hacked
by unauthorized users
----------------------+-----------------------------------------------------
Reporter: 3sixty | Owner:
Type: defect | Status: new
Priority: critical | Milestone: 1.2.4
Component: Forums | Keywords: has-patch, needs-testing
----------------------+-----------------------------------------------------
Comment(by johnjamesjacoby):
Ironically enough, this problem starts off as a bbPress problem. bbPress
doesn't include the name of the forum, category, or tag in the permalink
structure when viewing an individual topic.
My patch passes the $forum_id through to the core BuddyPress classes as
variable, and then checks against that variable before the topic template
processed. If the topic->forum_id doesn't match the
current_group->forum_id, then it returns false.
Give the patch some testing and feel free to repatch.
--
Ticket URL: <https://trac.buddypress.org/ticket/2343#comment:5>
BuddyPress <http://buddypress.org/>
BuddyPress
More information about the buddypress-trac
mailing list