By knowing the ID36 of a link, it is possible to see its media embed
because the embed request is served off-domain and as a result can't
verify the user's cookie. To fix this, we add an authentication code to
the iframe URL for media embeds and require its presence for all embeds
in private subreddits.
This makes required the credentials which were added in an earlier
patch.
This fixes an information disclosure vulnerability reported by Jordan
Milne (/u/largenocream).
By knowing the ID36 of a link, it is possible to see its media embed
because the embed request is served off-domain and as a result can't
verify the user's cookie. To fix this, we add an authentication code to
the iframe URL for media embeds and require its presence for all embeds
in private subreddits.
This starts appending credentials to private subreddit embeds such that
when the latter half of the fix is deployed all apps are already
generating appropriate embed URLs.
This is part of a fix for an information disclosure vulnerability
reported by Jordan Milne (/u/largenocream).
Given the ID36, it was possible to get the title-slug and subreddit of a
submission in a private subreddit. This adds a missing permissions
check to fix that.
This fixes an information disclosure vulnerability reported by Jordan
Milne (/u/largenocream).
This makes it easier to avoid issues with running pre()
functions multiple times (multiply subclassing was causing
problems) and makes it so all resources are blocked from oauth
access unless explicitly enabled (instead of randomly allowing
access as a "logged out user" to endpoints that aren't part of
an OAuth2ResourceController)
Conflicts:
r2/r2/controllers/apiv1.py
r2/r2/controllers/oauth2.py
When in an OAuth context, decorated functions
will only be run if the context includes the designated
scope.
When not in an OAuth context, the function is run normally.
Allows token bearer to manipulate user flair, and
the flair of his submitted links
Give /api/setflairenabled "flair" scope
Give /api/flairselector "flair" scope
Previously, the subreddit/domain and account precomputers were separate.
This merges the two and improves their portability in the process.
Because of the increased portability, the precomputer can now be added
to the install script by default.
For simple installs of reddit, g.domain == g.media_domain. If this is
the case, the app will print a warning at startup. However, this
warning was printed to stdout which meant that any jobs (such as the
mr_top stuff) using the output of a reddit process would get this
warning in their data streams. Bad times.
The domain is not "reddit.com" on other sites. This also fixes the issue
of doing concatenation of internationalized strings which is a bad idea.
Fixesreddit/reddit#968.
