From ded909120614e5b1fa1f9469c753a30b2d9b16ed Mon Sep 17 00:00:00 2001 From: William Pitcock Date: Wed, 29 Aug 2018 08:51:51 +0000 Subject: [PATCH] mastodon api: use bounded AP object graph query to enforce containment of private statuses --- lib/pleroma/web/mastodon_api/mastodon_api_controller.ex | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex b/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex index f482de6fdc..c90f9fa055 100644 --- a/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex +++ b/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex @@ -850,9 +850,14 @@ def list_timeline(%{assigns: %{user: user}} = conn, %{"list_id" => id} = params) |> Map.put("type", "Create") |> Map.put("blocking_user", user) - # adding title is a hack to not make empty lists function like a public timeline + # we must filter the following list for the user to avoid leaking statuses the user + # does not actually have permission to see (for more info, peruse security issue #270). + following_to = + following + |> Enum.filter(fn x -> x in user.following end) + activities = - ActivityPub.fetch_activities([title | following], params) + ActivityPub.fetch_activities_bounded(following_to, following, params) |> Enum.reverse() conn