From b031537fe98525b22152bfa04a18734ad08c5362 Mon Sep 17 00:00:00 2001 From: Anders Kaseorg Date: Tue, 31 May 2022 17:51:33 -0700 Subject: [PATCH] CVE-2022-31017: Fix edit event exposure in protected-history streams. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When editing an old message in a private stream with protected history, the server would incorrectly send an API event including the edited message to all of the stream’s current subscribers, including those who should not have access to the old message. This API event is ignored by official clients, so it could only be observed by a user using a modified client or their browser’s developer tools. Signed-off-by: Anders Kaseorg --- zerver/actions/message_edit.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/zerver/actions/message_edit.py b/zerver/actions/message_edit.py index c710a6f02a..d7c2cbfac8 100644 --- a/zerver/actions/message_edit.py +++ b/zerver/actions/message_edit.py @@ -698,7 +698,7 @@ def do_update_message( # where possible. users_to_be_notified = list(map(user_info, ums)) if stream_being_edited is not None: - if stream_being_edited.is_history_public_to_subscribers: + if stream_being_edited.is_history_public_to_subscribers(): subscriptions = get_active_subscriptions_for_stream_id( stream_id, include_deactivated_users=False )