From 26721f3056c68d0a350e2585c2603f200eb16194 Mon Sep 17 00:00:00 2001
From: Roland Haeder <roland@mxchange.org>
Date: Fri, 27 Mar 2015 21:55:45 +0100
Subject: [PATCH] Check scope, else a privacy leaks happens this way:

1) Bob and Alice follow each other and write private notices
   (this->scope=2) to each other.
2) Bob uses tags in his private notice to alice (which she can
   read from him).
3) Alice adds that notice (with tags) to her favorites
   ("faving") it.
4) The tags from Bob's private notice becomes visible in Alice's
   profile.

This has the simple background that the scope is not being
re-checked. This has to be done here at this point because given
above scenario is a privacy leak as the tags may be *really*
private (nobody else shall see them) such as initmate words or
very political words.

Signed-off-by: Roland Haeder <roland@mxchange.org>
---
 classes/Notice.php                | 52 ++++++++++++++++++++++++++++---
 lib/activity.php                  |  1 +
 plugins/Favorite/classes/Fave.php |  2 +-
 3 files changed, 50 insertions(+), 5 deletions(-)

diff --git a/classes/Notice.php b/classes/Notice.php
index 8dc5479b49..e04bdbabe6 100644
--- a/classes/Notice.php
+++ b/classes/Notice.php
@@ -542,8 +542,7 @@ class Notice extends Managed_DataObject
                 throw new ClientException(_('You cannot repeat your own notice.'));
             }
 
-            if ($repeat->scope != Notice::SITE_SCOPE &&
-                $repeat->scope != Notice::PUBLIC_SCOPE) {
+            if ($repeat->isPrivateScope()) {
                 // TRANS: Client error displayed when trying to repeat a non-public notice.
                 throw new ClientException(_('Cannot repeat a private notice.'), 403);
             }
@@ -2504,6 +2503,38 @@ class Notice extends Managed_DataObject
      */
     public function getTags()
     {
+        // Check default scope (non-private notices)
+        $inScope = (!$this->isPrivateScope());
+
+        // Get current user
+        $user = common_current_user();
+
+        // Is the general scope check okay and the user in logged in?
+        if (($inScope === TRUE) && ($user instanceof User)) {
+            // Get profile from it
+            $profile = $user->getProfile();
+
+            /*
+             * Check scope, else a privacy leaks happens this way:
+             *
+             * 1) Bob and Alice follow each other and write private notices
+             *    (this->scope=2) to each other.
+             * 2) Bob uses tags in his private notice to alice (which she can
+             *    read from him).
+             * 3) Alice adds that notice (with tags) to her favorites
+             *    ("faving") it.
+             * 4) The tags from Bob's private notice becomes visible in Alice's
+             *    profile.
+             *
+             * This has the simple background that the scope is not being
+             * re-checked. This has to be done here at this point because given
+             * above scenario is a privacy leak as the tags may be *really*
+             * private (nobody else shall see them) such as initmate words or
+             * very political words.
+             */
+            $inScope = $this->inScope($profile);
+        }
+
         $tags = array();
 
         $keypart = sprintf('notice:tags:%d', $this->id);
@@ -2515,7 +2546,9 @@ class Notice extends Managed_DataObject
         } else {
             $tag = new Notice_tag();
             $tag->notice_id = $this->id;
-            if ($tag->find()) {
+
+            // Check scope for privacy-leak protection (see some lines above why)
+            if (($inScope === TRUE) && ($tag->find())) {
                 while ($tag->fetch()) {
                     $tags[] = $tag->tag;
                 }
@@ -2720,7 +2753,7 @@ class Notice extends Managed_DataObject
 
                 $reply = Reply::pkeyGet(array('notice_id' => $this->id,
                                              'profile_id' => $profile->id));
-										 
+
                 if (!$reply instanceof Reply) {
                     return false;
                 }
@@ -2973,4 +3006,15 @@ class Notice extends Managed_DataObject
             $notice->_setRepeats($repeats);
         }
     }
+
+    /**
+     * Checks whether this notice is in "private scope" (non-public notice)
+     *
+     * @return $isPrivate Whether this notice is private
+     */
+    public function isPrivateScope ()
+    {
+        return ($this->scope != Notice::SITE_SCOPE &&
+                $this->scope != Notice::PUBLIC_SCOPE);
+    }
 }
diff --git a/lib/activity.php b/lib/activity.php
index 2d3930df0d..6b3ccf3519 100644
--- a/lib/activity.php
+++ b/lib/activity.php
@@ -107,6 +107,7 @@ class Activity
     public $selfLink; // <link rel='self' type='application/atom+xml'>
     public $editLink; // <link rel='edit' type='application/atom+xml'>
     public $generator; // ActivityObject representing the generating application
+
     /**
      * Turns a regular old Atom <entry> into a magical activity
      *
diff --git a/plugins/Favorite/classes/Fave.php b/plugins/Favorite/classes/Fave.php
index 68c36dfaef..f6c64dac0e 100644
--- a/plugins/Favorite/classes/Fave.php
+++ b/plugins/Favorite/classes/Fave.php
@@ -224,7 +224,7 @@ class Fave extends Managed_DataObject
      *
      * @return array Array of Fave objects
      */
-    static public function byNotice($notice)
+    static public function byNotice(Notice $notice)
     {
         if (!isset(self::$_faves[$notice->id])) {
             self::fillFaves(array($notice->id));
-- 
2.39.5