From 21a8fae8d6cfdfcd740369d6c5998858381ca5d7 Mon Sep 17 00:00:00 2001 From: Giteabot Date: Tue, 14 Nov 2023 07:03:42 +0800 Subject: [PATCH] Dont leak private users via extensions (#28023) (#28029) Backport #28023 by @6543 there was no check in place if a user could see a other user, if you append e.g. `.rss` (cherry picked from commit eef41489357a6b57e81f7c9a0a5580553f0f66ef) --- routers/web/user/home.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/routers/web/user/home.go b/routers/web/user/home.go index 76b9262ead..d0d24d7ed1 100644 --- a/routers/web/user/home.go +++ b/routers/web/user/home.go @@ -822,6 +822,11 @@ func UsernameSubRoute(ctx *context.Context) { reloadParam := func(suffix string) (success bool) { ctx.SetParams("username", strings.TrimSuffix(username, suffix)) context_service.UserAssignmentWeb()(ctx) + // check view permissions + if !user_model.IsUserVisibleToViewer(ctx, ctx.ContextUser, ctx.Doer) { + ctx.NotFound("user", fmt.Errorf(ctx.ContextUser.Name)) + return false + } return !ctx.Written() } switch {