/tb/: Check permissions before redirecting.

When the user is not logged in or has the toolbar disabled, the toolbar endpoint will turn a link ID36 into a redirect to the submission on reddit. This redirect includes the slugified title of the post as well as the subreddit it's in which could lead to a leak of information from a private subreddit. This fixes an information disclosure vulnerability reported by Jordan Milne (/u/largenocream).
2026-04-27 03:00:12 -04:00 · 2014-02-11 11:49:26 -08:00
parent 497751dc96
commit 47a677aba1
1 changed files with 3 additions and 3 deletions
--- a/r2/r2/controllers/toolbar.py
+++ b/r2/r2/controllers/toolbar.py
@@ -113,6 +113,9 @@ class ToolbarController(RedditController):
        from r2.lib.media import thumbnail_url
        if not link:
            return self.abort404()
+        elif not link.subreddit_slow.can_view(c.user):
+            # don't disclose the subreddit/title of a post via the redirect url
+            self.abort403()
        elif link.is_self:
            return self.redirect(link.url)
        elif not (c.user_is_loggedin and c.user.pref_frame):
@@ -121,9 +124,6 @@ class ToolbarController(RedditController):
        # if the domain is shame-banned, bail out.
        if is_shamed_domain(link.url)[0]:
            self.abort404()
-        
-        if not link.subreddit_slow.can_view(c.user):
-            self.abort403()

        if link.has_thumbnail:
            thumbnail = thumbnail_url(link)