When the user is not logged in or has the toolbar disabled, the toolbar
endpoint will turn a link ID36 into a redirect to the submission on
reddit. This redirect includes the slugified title of the post as well
as the subreddit it's in which could lead to a leak of information from
a private subreddit.
This fixes an information disclosure vulnerability reported by Jordan
Milne (/u/largenocream).
This is not strictly necessary as /gold/creditgild is where the
information leak actually occurs, but checking here should help prevent
future leaks of the same type.
This fixes an information disclosure vulnerability reported by Jordan
Milne (/u/largenocream).
Previously, it was possible to generate a payment blob for a comment the
user does not have permission to view (in a private subreddit or
deleted) and then use the creditgild form to see the author and content
of the comment. This adds a check to creditgild to ensure correct
permissions at display time.
This fixes an information disclosure vulnerability reported by Jordan
Milne (/u/largenocream).
Only application devs will be permitted to use password grants,
to discourage widespread use. Password grants are intended
to be a convenience for bots & personal scripts, to encourage
use of OAuth tokens and ease transition to OAuth2.
For more info on password grants, see:
http://tools.ietf.org/html/rfc6749#section-4.3
This will allow for differing handling of permissions based
on application type.
* Web app: Web-hosted application. Can keep a client_secret
* Installed app: e.g., android app. Client secret is not so secret
See also: https://developers.google.com/accounts/docs/OAuth2InstalledApp
* Script: For simple scripts and bots. Client secret is assumed secret.
It is necessary to do this check in V*OrAdminSecret as we cannot (and
should not) require a modhash when the secret token is being used
because this would break API compatibility and isn't necessary.
This fixes two XSRF vulnerabilities reported by Jordan Milne
(/u/largenocream).
These endpoints don't appear to have been used since
reddit/reddit@a07c576d1a and I have
verified via haproxy logs that they are not ever being called.
This fixes two XSRF vulnerabilities reported by Jordan Milne
(/u/largenocream).
/u/reddit's inbox was full causing IpnController.finish to fail
on send_system_message, but after dishing out the gold. Temporarily
ignore "locked" payment_blobs.
