mirror of
https://github.com/hedgedoc/hedgedoc.git
synced 2026-06-22 20:00:39 +00:00
Erik Michelson
d38b99887d
This fixes a reported security vulnerability where one use could retrieve revisions of another note where they don't have access to. This was possible, because the URL included both the note alias and the revision UUID, the backend then checked the user's permissions for the note alias but fetched and returned the revision by its UUID without checking whether the revision belongs to that note. Credits for finding and reporting this vulnerability to: - The Raw (https://github.com/therawdev) - Vishal (https://github.com/shukla304) Signed-off-by: Erik Michelson <github@erik.michelson.eu>