From 09e0dffa4656198cb81c76426d5f9236099d0417 Mon Sep 17 00:00:00 2001 From: Changaco Date: Fri, 15 Dec 2023 10:51:06 +0100 Subject: [PATCH] fix information leak in private lists of patrons https://hackerone.com/reports/2286764 --- www/%username/patrons/export.spt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/www/%username/patrons/export.spt b/www/%username/patrons/export.spt index 394d6c5bd..b0be400aa 100644 --- a/www/%username/patrons/export.spt +++ b/www/%username/patrons/export.spt @@ -33,7 +33,7 @@ if scope == 'active': ORDER BY pt.ctime LIMIT 1 ) AS first_payment_date - , tipper_p.avatar_url AS patron_avatar_url + , (CASE WHEN tip.visibility > 1 THEN tipper_p.avatar_url ELSE '' END) AS patron_avatar_url FROM current_tips tip JOIN participants tipper_p ON tipper_p.id = tip.tipper WHERE tip.tippee = %s @@ -87,7 +87,7 @@ elif scope == 'all': AND coalesce(pt.team, pt.recipient) = tip.tippee AND pt.status = 'succeeded' ) AS sum_received - , tipper_p.avatar_url AS patron_avatar_url + , (CASE WHEN tip.visibility > 1 THEN tipper_p.avatar_url ELSE '' END) AS patron_avatar_url FROM current_tips tip JOIN participants tipper_p ON tipper_p.id = tip.tipper WHERE tip.tippee = %s