SECURITY: Poster IDs could reveal IPs across boards

Imagine the following scenario: Alice has permission to view IPs on board A, and Bob has permissions to view IPs on board B. If the post number was to match, and the same IP made both posts, A and B could trade user IPs which they wouldn't normally have permission to do so. This weird bug has already creeped up on 8chan.co and is now patched.
2014-10-07 08:16:21 -07:00 · 2014-10-07 08:16:21 -07:00 · 3da946268a
commit 3da946268a
parent 9468df05b9
3 changed files with 6 additions and 6 deletions
--- a/inc/functions.php
+++ b/inc/functions.php
@ -2138,14 +2138,14 @@ function rrmdir($dir) {
 	}
 }

-function poster_id($ip, $thread) {
+function poster_id($ip, $thread, $board) {
 	global $config;

-	if ($id = event('poster-id', $ip, $thread))
+	if ($id = event('poster-id', $ip, $thread, $board))
 		return $id;

 	// Confusing, hard to brute-force, but simple algorithm
-	return substr(sha1(sha1($ip . $config['secure_trip_salt'] . $thread) . $config['secure_trip_salt']), 0, $config['poster_id_length']);
+	return substr(sha1(sha1($ip . $config['secure_trip_salt'] . $thread . $board) . $config['secure_trip_salt']), 0, $config['poster_id_length']);
 }

 function generate_tripcode($name) {
--- a/inc/lib/Twig/Extensions/Extension/Tinyboard.php
+++ b/inc/lib/Twig/Extensions/Extension/Tinyboard.php
@ -19,7 +19,6 @@ class Twig_Extensions_Extension_Tinyboard extends Twig_Extension
 			new Twig_SimpleFilter('capcode', 'capcode'),
 			new Twig_SimpleFilter('hasPermission', 'twig_hasPermission_filter'),
 			new Twig_SimpleFilter('date', 'twig_date_filter'),
-			new Twig_SimpleFilter('poster_id', 'poster_id'),
 			new Twig_SimpleFilter('remove_whitespace', 'twig_remove_whitespace_filter'),
 			new Twig_SimpleFilter('count', 'count'),
 			new Twig_SimpleFilter('ago', 'ago'),
@ -40,6 +39,7 @@ class Twig_Extensions_Extension_Tinyboard extends Twig_Extension
 		return array(
 			new Twig_SimpleFunction('time', 'time'),
 			new Twig_SimpleFunction('floor', 'floor'),
+			new Twig_SimpleFunction('poster_id', 'poster_id'),
 			new Twig_SimpleFunction('timezone', 'twig_timezone_function'),
 			new Twig_SimpleFunction('hiddenInputs', 'hiddenInputs'),
 			new Twig_SimpleFunction('hiddenInputsHash', 'hiddenInputsHash'),
--- a/templates/post/poster_id.html
+++ b/templates/post/poster_id.html
@ -1,7 +1,7 @@
 {% if config.poster_ids %}
 	{% if post.thread %}
-		 ID: <span class="poster_id">{{ post.ip|poster_id(post.thread) }}</span>
+		 ID: <span class="poster_id">{{ poster_id(post.ip, post.thread, board.uri) }}</span>
 	{% else %}
-		 ID: <span class="poster_id">{{ post.ip|poster_id(post.id) }}</span>
+		 ID: <span class="poster_id">{{ poster_id(post.ip, post.id, board.uri) }}</span>
 	{% endif %}
 {% endif %}