Properly avoid private forum leak in deep search

mGroupFlags & GXS_SERV::FLAG_PRIVACY_PUBLIC is always true for forums even if they are circle restricted, use circle flags to check if it is really public
2024-10-01 02:35:48 -04:00 · 2021-09-29 22:25:04 +02:00 · 2021-09-29 22:25:04 +02:00 · 0b58740174
commit 0b58740174
parent 2196505d19
2 changed files with 7 additions and 3 deletions
--- a/libretroshare/src/retroshare/rsgxscircles.h
+++ b/libretroshare/src/retroshare/rsgxscircles.h
@ -4,7 +4,8 @@
 * libretroshare: retroshare core library                                      *
 *                                                                             *
 * Copyright (C) 2012-2014  Robert Fernie <retroshare@lunamutt.com>            *
- * Copyright (C) 2018-2019  Gioacchino Mazzurco <gio@eigenlab.org>             *
+ * Copyright (C) 2018-2021  Gioacchino Mazzurco <gio@eigenlab.org>             *
+ * Copyright (C) 2019-2021  Asociación Civil Altermundi <info@altermundi.net>  *
 *                                                                             *
 * This program is free software: you can redistribute it and/or modify        *
 * it under the terms of the GNU Lesser General Public License as              *
@ -46,7 +47,7 @@ extern RsGxsCircles* rsGxsCircles;
 enum class RsGxsCircleType : uint32_t // 32 bit overkill, just for retrocompat
 {
 	UNKNOWN            = 0,	/// Used to detect uninizialized values.
-	PUBLIC             = 1,	/// Public distribution, based on GxsIds
+	PUBLIC             = 1,	/// Public distribution
 	EXTERNAL           = 2,	/// Restricted to an external circle, based on GxsIds

 	NODES_GROUP        = 3,	/// Restricted to a group of friend nodes, the administrator of the circle behave as a hub for them
--- a/libretroshare/src/services/p3gxsforums.cc
+++ b/libretroshare/src/services/p3gxsforums.cc
@ -653,6 +653,8 @@ bool p3GxsForums::createForumV2(
 	forum.mMeta.mSignFlags = GXS_SERV::FLAG_GROUP_SIGN_PUBLISH_NONEREQ
 	        | GXS_SERV::FLAG_AUTHOR_AUTHENTICATION_REQUIRED;

+	/* This flag have always this value even for circle restricted forums due to
+	 * how GXS distribute/verify groups */
 	forum.mMeta.mGroupFlags = GXS_SERV::FLAG_PRIVACY_PUBLIC;

 	forum.mMeta.mCircleId.clear();
@ -1565,7 +1567,8 @@ std::error_condition p3GxsForums::prepareSearchResults(

 		// Avoid leaking sensitive information to unkown peers
 		if( publicOnly &&
-		        !(fMeta.mGroupFlags & GXS_SERV::FLAG_PRIVACY_PUBLIC) ) continue;
+		        ( static_cast<RsGxsCircleType>(fMeta.mCircleType) !=
+		          RsGxsCircleType::PUBLIC ) ) continue;

 		RsGxsSearchResult res;
 		res.mGroupId = forumId;