From 47a677aba1a2079292e5361eecdc4394cf072d7b Mon Sep 17 00:00:00 2001
From: Neil Williams <neil@reddit.com>
Date: Tue, 11 Feb 2014 11:49:26 -0800
Subject: [PATCH] /tb/: Check permissions before redirecting.

When the user is not logged in or has the toolbar disabled, the toolbar
endpoint will turn a link ID36 into a redirect to the submission on
reddit.  This redirect includes the slugified title of the post as well
as the subreddit it's in which could lead to a leak of information from
a private subreddit.

This fixes an information disclosure vulnerability reported by Jordan
Milne (/u/largenocream).
---
 r2/r2/controllers/toolbar.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/r2/r2/controllers/toolbar.py b/r2/r2/controllers/toolbar.py
index 9e1bf59ff..d8b1a72aa 100644
--- a/r2/r2/controllers/toolbar.py
+++ b/r2/r2/controllers/toolbar.py
@@ -113,6 +113,9 @@ class ToolbarController(RedditController):
         from r2.lib.media import thumbnail_url
         if not link:
             return self.abort404()
+        elif not link.subreddit_slow.can_view(c.user):
+            # don't disclose the subreddit/title of a post via the redirect url
+            self.abort403()
         elif link.is_self:
             return self.redirect(link.url)
         elif not (c.user_is_loggedin and c.user.pref_frame):
@@ -121,9 +124,6 @@ class ToolbarController(RedditController):
         # if the domain is shame-banned, bail out.
         if is_shamed_domain(link.url)[0]:
             self.abort404()
-        
-        if not link.subreddit_slow.can_view(c.user):
-            self.abort403()
 
         if link.has_thumbnail:
             thumbnail = thumbnail_url(link)