From 3da946268af116ceefad6415d1c77a3cf8a8ba68 Mon Sep 17 00:00:00 2001 From: 8chan Date: Tue, 7 Oct 2014 08:16:21 -0700 Subject: [PATCH] SECURITY: Poster IDs could reveal IPs across boards Imagine the following scenario: Alice has permission to view IPs on board A, and Bob has permissions to view IPs on board B. If the post number was to match, and the same IP made both posts, A and B could trade user IPs which they wouldn't normally have permission to do so. This weird bug has already creeped up on 8chan.co and is now patched. --- inc/functions.php | 6 +++--- inc/lib/Twig/Extensions/Extension/Tinyboard.php | 2 +- templates/post/poster_id.html | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/inc/functions.php b/inc/functions.php index 1b77c191..ade92cbd 100644 --- a/inc/functions.php +++ b/inc/functions.php @@ -2138,14 +2138,14 @@ function rrmdir($dir) { } } -function poster_id($ip, $thread) { +function poster_id($ip, $thread, $board) { global $config; - if ($id = event('poster-id', $ip, $thread)) + if ($id = event('poster-id', $ip, $thread, $board)) return $id; // Confusing, hard to brute-force, but simple algorithm - return substr(sha1(sha1($ip . $config['secure_trip_salt'] . $thread) . $config['secure_trip_salt']), 0, $config['poster_id_length']); + return substr(sha1(sha1($ip . $config['secure_trip_salt'] . $thread . $board) . $config['secure_trip_salt']), 0, $config['poster_id_length']); } function generate_tripcode($name) { diff --git a/inc/lib/Twig/Extensions/Extension/Tinyboard.php b/inc/lib/Twig/Extensions/Extension/Tinyboard.php index 81276147..75af6890 100644 --- a/inc/lib/Twig/Extensions/Extension/Tinyboard.php +++ b/inc/lib/Twig/Extensions/Extension/Tinyboard.php @@ -19,7 +19,6 @@ class Twig_Extensions_Extension_Tinyboard extends Twig_Extension new Twig_SimpleFilter('capcode', 'capcode'), new Twig_SimpleFilter('hasPermission', 'twig_hasPermission_filter'), new Twig_SimpleFilter('date', 'twig_date_filter'), - new Twig_SimpleFilter('poster_id', 'poster_id'), new Twig_SimpleFilter('remove_whitespace', 'twig_remove_whitespace_filter'), new Twig_SimpleFilter('count', 'count'), new Twig_SimpleFilter('ago', 'ago'), @@ -40,6 +39,7 @@ class Twig_Extensions_Extension_Tinyboard extends Twig_Extension return array( new Twig_SimpleFunction('time', 'time'), new Twig_SimpleFunction('floor', 'floor'), + new Twig_SimpleFunction('poster_id', 'poster_id'), new Twig_SimpleFunction('timezone', 'twig_timezone_function'), new Twig_SimpleFunction('hiddenInputs', 'hiddenInputs'), new Twig_SimpleFunction('hiddenInputsHash', 'hiddenInputsHash'), diff --git a/templates/post/poster_id.html b/templates/post/poster_id.html index 4efc56ff..3f5ba798 100644 --- a/templates/post/poster_id.html +++ b/templates/post/poster_id.html @@ -1,7 +1,7 @@ {% if config.poster_ids %} {% if post.thread %} - ID: {{ post.ip|poster_id(post.thread) }} + ID: {{ poster_id(post.ip, post.thread, board.uri) }} {% else %} - ID: {{ post.ip|poster_id(post.id) }} + ID: {{ poster_id(post.ip, post.id, board.uri) }} {% endif %} {% endif %}