CVE-2025-25195: Only send "active" change events to channel subscribers.

This fixes a bug where private stream event to update stream's active status was sent to all active users instead of just its subscribers.
2025-11-03 21:43:21 +00:00 · 2025-01-30 13:32:08 +05:30
parent a2a1a7f8d1
commit 75be449d45
2 changed files with 87 additions and 4 deletions
--- a/zerver/lib/streams.py
+++ b/zerver/lib/streams.py
@@ -1550,7 +1550,7 @@ def notify_stream_is_recently_active_update(stream: Stream, value: bool) -> None
        name=stream.name,
    )

-    send_event_on_commit(stream.realm, event, active_user_ids(stream.realm_id))
+    send_event_on_commit(stream.realm, event, can_access_stream_metadata_user_ids(stream))


@transaction.atomic(durable=True)