CVE-2022-31017: Fix edit event exposure in protected-history streams.

When editing an old message in a private stream with protected history, the server would incorrectly send an API event including the edited message to all of the stream’s current subscribers, including those who should not have access to the old message. This API event is ignored by official clients, so it could only be observed by a user using a modified client or their browser’s developer tools. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2025-10-23 04:52:12 +00:00 · 2022-05-31 17:51:33 -07:00
parent 9d3fb85897
commit b031537fe9
1 changed files with 1 additions and 1 deletions
--- a/zerver/actions/message_edit.py
+++ b/zerver/actions/message_edit.py
@@ -698,7 +698,7 @@ def do_update_message(
    # where possible.
    users_to_be_notified = list(map(user_info, ums))
    if stream_being_edited is not None:
-        if stream_being_edited.is_history_public_to_subscribers:
+        if stream_being_edited.is_history_public_to_subscribers():
            subscriptions = get_active_subscriptions_for_stream_id(
                stream_id, include_deactivated_users=False
            )