PadMessageHandler: Don't trust user-provided padId

2025-05-02 13:19:14 -04:00 · 2022-02-23 01:03:46 -05:00 · 2022-02-23 01:03:46 -05:00 · ba370b0e05
commit ba370b0e05
parent bdbde88fed
4 changed files with 115 additions and 8 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,6 +2,11 @@

 (not yet released)

+### Security fixes
+
+* Fixed a vunlerability in the `CHANGESET_REQ` message handler that allowed a
+  user with any access to read any pad if the pad ID is known.
+
 ### Notable enhancements and fixes

 * Fixed a bug that caused all pad edit messages received at the server to go